Great, then you’ve got time to peruse the nearly 900 pages of comments submitted to the California Privacy Protection Agency (CPPA). The agency made a call for feedback in September, asking to hear about new and outstanding issues not addressed by existing implementation regulations for the California Consumer Privacy Act (CCPA).
Some of the most hot-button topics under debate included automated decision-making, opt-out preference signals and the definition of “dark patterns,” which are user interfaces designed to trick users into taking actions or sharing more data than they ordinarily would.
The CPPA was established by the California Consumer Privacy Act (CPRA), which was passed in November 2020 to bolster and replace aspects of the CCPA. The law’s original backers felt the CCPA had been watered down through the legislative process and wanted to try again for a full-strength privacy law.
It’s the California Privacy Protection Agency’s job to create new implementation regs for the CPRA, which goes into effect on January 1, 2023, although compliance already began at the start of this year. The agency also has the authority to update the existing CCPA regs. (It’s worth noting that the agency hasn’t yet started formal rulemaking activities for CPRA.)
Comments were due in early November and published on the CPPA’s website in mid-January.
A wide range of industry stakeholders submitted comments, including from Google, Mozilla, Consumer Reports, Digital Content Next, the California Chamber of Commerce and the California Water Association.
But there wasn’t a lot of agreement among the 70 submissions.
One of the most hotly debated issues had to do with consent interfaces – specifically, the Global Privacy Control (GPC), a universal browser setting that automatically notifies businesses about a user’s privacy preferences.
It’s basically a universal Do Not Track setting revived roughly a decade after negotiations broke down without a clear agreement.
The CPRA requires businesses to honor the GPC. But there aren’t yet any finalized technical specs for implementation, because the final CPRA regs aren’t due for another six months, until July 2022.
The two opposing POVs on the GPC can be summed up quite neatly by the comments from two opposite ends of the ring.
In one corner is Alastair Mactaggart, who led the effort to pass both the CCPA and the CPRA and is in favor of the GPC. In the other corner is law firm Wilson Sonsini, which represents many technology companies.
Mactaggart wants to include language in the final statute that makes it abundantly clear that opt-out signals coming from browsers, devices and apps should be honored as a consumer’s direct request.
In stark contrast, Wilson Sonsini calls for the existing CCPA regulations to be “immediately repealed” and declares the GPC should be replaced with an optional opt-out preference signal that’s more in line with the existing CCPA regulations.
Which point of view will ultimately prevail is unclear, said Wayne Matus, EVP, general counsel and co-founder of privacy compliance platform SafeGuard Privacy. “If forced to make a bet, I would bet on the sponsor,” he said.
“The easiest path for an agency to take is to agree with the sponsor and state that their regulation is not an interpretation but is required by law,” Matus added. “It’s the most likely way to avoid a successful challenge in court.”
In other words, odds on Mactaggart, a champion of the law. He’s got a pretty solid track record so far.
The next step on the road toward finalized implementation regulations for the CPRA is a series of informational hearings hosted by the CPPA to gather more information and preliminary input from the public. Those hearings have yet to be scheduled.
But the ad industry is anxiously awaiting the eventual outcome.
“Unlike the CCPA, which casually contains a reference to GPC, the CPRA regulations are required to contain actual specifications,” said Gary Kibel, a partner in the digital media, technology and privacy practice group at Davis+Gilbert. The CPRA regs should end up including a lot more detail about what qualifies as a valid opt-out preference signal that has to be honored by businesses.
Until then, though, “the industry is sitting on the edge of its seat waiting for the first draft of CPRA regulations to be released,” Kibel said.