Interestingly, the California Privacy Protection Agency (CPPA) recently revealed suggested changes to the CCPA rules. The proposed changes were first made available to the public in a set of materials for the CPPA’s meeting on June 8. Unfortunately, the draught CPRA regulations, which serve as the proposed modifications, were released ahead of the CPPA’s previously declared deadline and without prior notification.

The government must adopt the law’s final regulations by July 31, 2022, which is nearly two months away, and the CPRA is scheduled to take effect on January 1, 2023, which is almost seven months away. However, it is uncertain whether these new Draft Regulations will put the CPPA on track to fulfil the legislative deadline, as they had previously announced that the final regulations might not be released until fall 2023.

Businesses will have a road map for CPRA compliance thanks to the Draft Regulations. The Draft Regulations start with the existing CCPA regulations and add the CPRA’s required changes on top of those regulations. Businesses that must comply with the CCPA might start by using the same strategy and their present CCPA compliance structure.

Key Highlights of CPRA Draft Regulations

The key ideas from each of the Draft Regulations’ major parts have been more thoroughly summarized. MagicPixel is delighted to address any inquiries regarding CPRA compliance and will keep you updated on the CPRA as it develops. The main points from the Draft Regulations are summarized below.

Dark patterns

Any activity that does not adhere to these guidelines may be considered a “dark pattern,” according to the CPRA Draft Regulations. In addition, they specify a dark pattern as a UI that, regardless of a company’s intentions, “effects substantially undermining or hampering user’s privacy and decision, or preference.” They also state that any consent attained through dark patterns will not be considered end-user consent.

Opt-out signals for preferences

The Draft Regulations state that if an opt-out preference signal is sent in a format that is widely accepted by businesses, such as an HTTP header field, and if the platform, technology, or mechanism that sends the signal makes it clear to the consumer that use of the signal is intended to have the opt-out effect, the business must treat the signal as a legitimate request to opt-out of sale or sharing.

New Notice obligations

The CCPA’s several notice requirements, including the disclosures that must be included in a company’s privacy policy—are modified by the Draft Regulations to be consistent with the CPRA. Before January 1, 2023, companies subject to the law must amend their privacy policies and other disclosures.

Specialized Marketing

According to the Draft Regulations, anyone who enters into a contract with a company to deliver cross-contextual behavioural advertising is considered a third party and not a service provider under the CPRA. This is a crucial clarification since it mandates that companies give customers the option to refuse the sale or sharing of their data with any organizations to which they disclose personal data for cross-contextual behavioral purposes. As a result, businesses that previously saw these third parties as service providers in the sense of the CCPA will need to change their strategy in the future.

Correction Request

The CPRA extends the CCPA’s provisions for individual rights by requiring enterprises to give users the choice to update their information and the right of individuals to view and remove their data. In addition, consumers have the right to update their personal information under all other state laws in the coming year. Therefore, CPRA compliance in this area will also help firms comply with other state laws.

Numerous modifications and clarifications to the CPRA are included in the proposed Regulations, including prohibitions on selling or sharing user data with third parties, requirements for consumer notice and privacy policies, acceptance of opt-out preference signals, and necessary clauses in contracts with third-party service providers.

Notably, the Draft Regulations cover not all of the CPPA’s regulatory authorities. They specifically do not include many of the subjects that are unique to the CPRA (as opposed to those that were also covered by the old CCPA laws), such as cybersecurity audits, restrictions for automated technology, and risk assessments for data protection. Future revisions of the CPRA regulations may include these areas, according to the CPPA.


The Draft Regulations contain detailed instructions on informing customers of their legal rights and giving them their informed permission. We encourage companies impacted by the CPRA’s proposed regulations to provide feedback to the CPPA. To support customers with compliance, MagicPixel often assists businesses in navigating complex privacy and data security challenges. Additionally, we will keep an eye on CPPA guidance, regulation, and lawsuits under the CPRA. Book a Demo with us now and we will help you with your site’s privacy compliance within hours instead of weeks