California’s new privacy protection agency put out the bat call last week for public comments as it gets ready to create implementation regulations for the California Privacy Rights Act (CPRA).
Although the public can submit comments related to any area where the agency has authority, the agency has said that in this case, it’s “particularly interested in comments on new and undecided issues not already covered by the existing CCPA regulations.”
Once finalized, implementation regs help businesses with their compliance efforts by providing operation guidance that fills in any gaps in the original law.
The CPRA applies to any company with annual revenue of $25 million or higher that shares, sales or acquires the personal data of 100,000 or more customers or households. But the law also applies if a company makes at least half of its annual revenue from exchanging or selling personal info – regardless of total revenue.
In other words, this law needs to be on the radar of every ad tech company, marketer and publisher up and down the supply chain.
Comments are due to the agency by Monday, November 8.
But first, how did we get here?
The California Privacy Rights Act is the law that was passed by ballot measure last November – Prop 24 – as an amendment to bolster the California Consumer Privacy Act (CCPA) that preceded it.
The CPRA’s purpose is to make it more difficult for regulators to water down consumer protections in California, which is what many privacy advocates felt happened when the CCPA originally passed through the state legislature.
The law also required the creation of a brand-new administrative entity called the California Privacy Protection Agency – separate from the attorney general’s office – tasked with implementing and enforcing the law and protecting consumer privacy rights. The agency’s board, appointed in March, is made up of five members, a mixture of lawyers and academics, with expertise in privacy and technology.
It’s the new agency’s job to first establish and then promulgate final implementation regs for the CPRA by July 1, 2022.
There’s some worry, however, that the deadline isn’t doable, considering how little time is left to get this done. The regs are only in the very early stages – and it took three drafts and the better part of a year before the California Attorney General’s office was able to finalize rules for the CCPA.
California’s Office of Administrative Law will also have to approve the final regs, a process that could take up to an additional 30 days.
At the agency’s most recent meeting in September, the board expressed its concern about the timing and discussed possibly extending the July 1, 2022, deadline.
Get your red pens ready
In the meantime, though, the California Privacy Protection Agency will continue to seek comments by November 8 as it gears up to develop implementation regulations for the CPRA.
There are eight specific topics on which the agency is particularly keen to gather feedback:
1. Data processing that presents a significant risk to consumer privacy or security and what types of cybersecurity audits and risk assessments businesses should perform to protect consumers.
2. Automated decision-making, including what opt-out rights should exist with respect to automated technology.
3. What audits should be performed by the California Privacy Protection Agency itself, including the scope.
4. Clarity on the consumer rights bestowed by the CCPA, including the right to delete, the right to correct and the right to know.
For example: How should a business respond to a request for correction? When should a business be exempted from the obligation to take action on a request because responding to the request would either be impossible or involve a disproportionate effort?
5. How to implement a consumer’s right to opt out of the selling or sharing of their personal information and limit the use and disclosure of their sensitive personal information.
The AG’s CCPA implementation regulations require businesses to respect user-enabled global privacy controls, such as a browser plug-in or device settings. The California attorney general, Rob Bonta, who took over from Xavier Becerra in March, has also publicly supported a Global Privacy Control. (If that sounds familiar, it’s pretty much Do Not Track.)
But what requirements and technical specifications should define an opt-out preference signal sent by a platform, technology or mechanism?
6. How to implement a consumer’s right to limit the use and disclosure of sensitive personal information, including what exactly constitutes “sensitive personal information” and whether there are any exceptions that don’t require the same level of disclosures.
7. What specific pieces of information should businesses provide in response to a consumer’s request to know what of their personal information has been collected, used, shared or sold and why the data was collected in the first place.
8. Clearer definitions and categories for terms used within the CCPA and CPRA, including the specific meaning of “deidentified,” “unique identifier” and “dark patterns.”
Once the comments are in, it’s only the first step.
The California Privacy Protection Agency will then begin the formal rulemaking process, which will include at least one more public comment period. The agency will also likely host multiple public town hall-type meetings to collect comments, the times and dates of which are TBD.