California's New Rule on Universal Opt-Outs Will Be Easy to Enforce, Warns Attorney
One of the easiest requirements for enforcers to check for violations under new California Privacy Protection Agency (CPPA) rules is also simple for vigilant businesses to avoid, privacy lawyer David Stauss said during a Troutman webinar Thursday. As such, companies should immediately start displaying on websites that they are honoring universal opt-out preference signals, he said. Separately, Hintze privacy attorney Sam Castic warned that new risk assessment requirements go beyond rules in other states.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The CPPA submitted board-approved regulations on ADMT, cyber audits, risk assessments, insurance and other California Consumer Privacy Act (CCPA) updates to the Office of Administrative Law on Aug. 8, which means OAL must finalize them by Sept. 22, or they are approved automatically (see 2508120025).
“It’s going to happen quick,” with many rules taking effect as soon as OAL approves the package, said Stauss, noting that some rules will have delayed implementation. OAL isn’t "there to be rewriting rules substantively,” and historically, the office has approved all CCPA regulations, he said. "There's no reason to expect they won't do the exact same thing [here].”
One requirement that will take effect immediately is to have websites display to users that their Global Privacy Control or other universal opt-out preference signals have been honored. Previous CCPA rules said businesses “may” display this, but under the imminent rules, they “must." Some cookie-management tools have an option to do this, but the organization must still make sure to toggle it on, Stauss warned. "This is a big deal” since it’s “going to be super easy [for enforcers] to show non-compliance.”
The risk for companies from the upcoming agency rule could be magnified if California this fall enacts a CPPA-endorsed bill on universal opt-out signals that is nearing the finish line in the state legislature, Sidley’s Sheri Porath Rockwell said in a recent interview (see 2508150016). The pending state bill (AB-566) would require all web browsers to support sending universal opt-out signals like the Global Privacy Control, which could significantly increase the number of users who activate the option.
Like Stauss, many lawyers have advised organizations to start preparing now for the imminent CPPA rules (see 2507250027), which the agency’s board approved last month at the end of a lengthy and controversial proceeding (see 2507240070).
Hintze's Castic warned in a Wednesday blog post that part of the CPPA rules on risk assessments exceed those from other states.
Three of six triggers that would require risk assessments under the CPPA rules “are similar to ones in other states” but “will have a broader impact since the CCPA also applies to personal information of employees, candidates, and B2B business contacts,” he said. Those triggers are pulled when (1) personal information is sold or shared, (2) sensitive information is processed or (3) ADMT is used for some significant decisions.
Three other triggers aren’t found in other states’ laws, said Castic. Those are when “automated processing occurs to infer or extrapolate certain matters or characteristics about a person based on systematic observation in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor,” or when the latter happens based on a person’s “presence in a sensitive location,” he said. The third California-only trigger is when an organization processes personal information for ADMT training purposes, he noted.
“Unlike other states, California will also require proactive submission of certain assessment information to the State,” the lawyer added.
Similarly to other privacy lawyers, Roma Patel and two other Robinson+Cole attorneys said that companies shouldn’t wait for final OAL clearance before diving into the CPPA regulations. “Many industry experts expect that the OAL will only make minor, if any, changes,” the attorneys said in an Aug. 7 blog post. “Businesses should expect the OAL to approve most of this final text. The regulations take effect in 2027, so preparation for these new compliance obligations should be a top priority.”