The California Privacy Protection Agency (the “Agency”) released draft regulations to the California Privacy Rights Act (“CPRA”) on May 31, 2022 (the “Proposed Regulations”). The Proposed Regulations are drafted as comments to the California Attorney General’s regulations for the California Consumer Privacy Act, California’s landmark privacy law, which was amended by CPRA.

The Proposed Regulations address long-debated issues in U.S. privacy law, such as the effectiveness of user preferences communicated through browser signals. Under the Proposed Regulations, covered businesses must respect these opt-out signals sent through browser settings as effective communication of user preferences. The acceptable methods of opt-out communication is important because CPRA grants consumers the right to opt-out of “sharing” personal information, selling personal information, and processing of sensitive personal information in certain contexts.

Other important provisions of the Proposed Regulations include an extension of the consumer right to request and receive copies of information provided to covered businesses and further clarification of “dark patterns”. Previously, after a consumer request, businesses were only required to provide copies of information received in the past 12 months. The Proposed Regulations require businesses to provide all information collected after January 1, 2022. “Dark patterns” are defined as features which have the effect of “substantially subverting or impairing user autonomy, decisionmaking, or choice, regardless of a business’s intent.” Dark patterns were already prohibited under the CPRA, and the Proposed Regulations add that obtaining consumer consent with the use of a dark pattern nullifies the consumer’s consent.

The Agency is set to have a public meeting June 8, and the agenda lists the draft rules as a topic of discussion. The full text of the Proposed Regulations can be found here.

Photo of Ryan Blaney Ryan Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.