A few highlights from the final CCPA regulations:
Per the California Attorney General’s Final Statement of Reasons, a service provider that processes information in breach of the provisions of the agreement between the “business” and such service provider is subject to direct enforcement by the Attorney General, even if the business is not inclined to enforce.
This exhibits some similarity in approach to Art 28(10) of GDPR pursuant to which a data processor who determines the purpose and means of the processing shall be deemed a data controller with respect to such processing and thus subject to the broader data controller scope of liability.
In response to a question about the meaning of “valuable consideration” in the context of a “sale” under the CCPA, the California Attorney General answers: “the meaning is clear.”
Read a detailed examination of the regulations in my client alert.