The California Privacy Protection Agency Board began its preliminary rulemaking activities to solicit input on forthcoming regulations under the California Privacy Rights Act (“CPRA”) in September 2021 when it met to review the CPRA rulemaking process. On September 22, 2021 the Agency began soliciting preliminary written public comments. The Agency then held informational sessions on March 29 and 30, 2022 and stakeholder sessions from May 4 – 6, 2022. These pre-rulemaking sessions yielded some helpful information regarding the views of the Board and the potential direction of the new regulations.
The informational sessions addressed a variety of topics, including CPRA’s data minimization and purpose limitation principles. Notably, Lisa Kim, Deputy Attorney General of the California Department of Justice, opined that businesses that merely disclose their processing activities as required under the California Consumer Privacy Act (“CCPA”) will not meet CPRA’s data minimization and purpose limitation requirements. Deputy Attorney General Kim interpreted CPRA to require businesses to consider whether their processing activities are reasonably necessary and proportionate – a broad construction of CPRA’s text that associates the purpose limitation principle to the notice at collection, and which would represent a meaningful shift in data protection law in the U.S. Another key topic of interest was automated decision-making. Speakers espoused a broad view of a need for choice and transparency, including algorithmic transparency, relating to the use of automated decision-making technology.
Transcripts and videos of the pre-rulemaking informational sessions can be found here.
The stakeholder sessions covered automated decision making, data minimization and purpose limitation principle, dark patterns, consumer rights, cyber audits and risk assessments, and businesses’ and consumers’ experiences with the CCPA. Key takeaways included:
- Automated decision-making technology should only be subject to regulation if it has legal or similarly significant effect on consumers. Several stakeholders requested to limit the scope of forthcoming regulations pertaining to automated decision-making technology, including representatives from the Future of Privacy Forum, the Alliance for Automotive Innovation, and the Computer & Communications Industry Association. Additionally, stakeholders requested that the regulations: (a) adopt a risk-based approach and only regulate those automated decision-making systems that process sensitive personal information or present a high risk; (b) only cover fully automated systems; and (c) not require businesses to reveal trade secrets, proprietary information, or algorithms associated with the automated decision-making technology.
- Data minimization and purpose limitation principles should be defined. CPRA prohibits businesses from collecting additional categories of personal information or using personal information collected for additional purposes that are “incompatible” with the disclosed purpose for which the personal information was collected without providing notice to consumers. A representative of the Future of Privacy Forum encouraged the Agency to provide guidance on what is considered “incompatible” with the original purpose. Another stakeholder suggested that the Agency look to the EU General Data Protection Regulation (“GDPR”) for inspiration.
- Dark patterns should be limited to user interfaces that are harmful or deceptive. Several stakeholders recommended that the Agency adopt the term “deceptive designs,” “manipulative designs,” or a similar term to more clearly refer to harmful user interfaces designed or manipulated to subvert or impair user choice. Stakeholders expressed their concerns that the current definition of “dark pattern” is unclear and unenforceable.
- Opt-out preference signals need clarification. There is a disagreement over whether CCPA requires businesses to fulfil requests received from global privacy controls. Specifically, section 999.315(c) of the CCPA regulations requires businesses to treat opt-out signals received from global privacy controls as valid opt-out requests submitted under CCPA. However, section 1798.135(b) of CPRA allows businesses to forgo providing opt-out links on their webpages if they allow consumers to opt out of the sale or sharing of personal information using an opt-out preference signal, thus suggesting that the signal is optional. Several stakeholders, including representatives from the Future of Privacy Forum, Networking Advertising Initiative, California Chamber of Commerce, and California Retailer’s Association, urged the Agency to address conflicting global privacy controls requirements and any inconsistencies that could result from signals sent from different platforms or browser or device settings. Additionally, stakeholders argued that the anticipated regulations should make it as easy as possible for consumers to exercise their rights, including their opt-out rights using mechanisms such as global privacy controls.
- Specific guidance for cybersecurity audits and risk assessments should be provided and leverage existing frameworks. Stakeholders pushed for regulations that provide clear requirements on when audits and risk assessments are triggered, how they should be performed, and the frequency of their performance. Stakeholders suggested that the Agency provide sample templates and leverage existing models under the GDPR and the framework of the National Institute of Standards and Technology.
- Audits performed by the Agency should exempt businesses that are overseen by their primary regulators for their industries. Stakeholders from the banking industry, including credit unions, urged the Agency to exempt industries overseen by their primary regulators from the Agency’s audits, given that such institutions are already heavily regulated and audits from the Agency will cause undue burden on those businesses.
- CPRA requirements should be harmonized with other federal and state privacy laws. Stakeholders from consumer rights protection groups and businesses associations generally agree that the regulations should harmonize CPRA requirements with requirements from federal laws, such as the Federal Trade Commission Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act, as well as requirements under other state comprehensive privacy laws, such as those in Colorado, Connecticut, Utah and Virginia. Stakeholders advocated that the harmonization should include recognizing permanent exceptions for employment and business-to-business information.
We expect the Agency to consider public opinion expressed during the sessions and begin the formal rulemaking process in the months to come. Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor CPRA’s rulemaking process and provide updates as they become available.