California Data Privacy Round Up - February 2023

This week's roundup highlights critical action on CCPA and is a must-read for e-commerce businesses. Links to more info are in my comment below!

1. Having sent its first CCPA rulemaking package to the Office of Administrative Law for approval, the California Privacy Protection Agency recently invited pre-rulemaking comments on its proposed second round of rulemaking. In the second round, the Agency expects to write rules defining what types of businesses must perform regular cybersecurity audits and submit regular risk assessments to the Agency (among other things).

2. The Attorney General’s CCPA enforcement continues apace, maintaining a focus on the “Do Not Sell” requirements. The AG recently sent investigative letters to a number of businesses offering mobile apps that the AG alleges have failed to comply with consumer requests to opt-out of the “sale” of their personal information or do not offer an opt-out mechanism.

3. To all e-commerce companies: The CCPA, with its complex restrictions on data sharing, may warrant building more flexibility into your tech stack. A recent study of e-commerce firms subject to Europe’s main data privacy law - the GDPR, which has similar restrictions and took effect a couple of years before the CCPA - found that reliance on commonly used, interdependent technologies (such as WordPress, Google Analytics and Marketo) for the sake of business efficiencies often made compliance more burdensome.