The staff and board of the California Privacy Protection Agency (“CPPA”) have been working for nearly two years on a new set of proposed rulemaking under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). A year ago the current CCPA regulations were finalized, but several complex issues where reserved for further consideration and some proposals were pulled back to ease initial implementation. Their enforcement was initially enjoined and delayed by a trial court, but a California appeals court reversed that order, including any delay on the effectiveness of future regulations. New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023. In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk). In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which will be subject to a further Board vote after reviewing the rule making package. The staff was also authorized to make further edits to the draft regulations to clarify text or conform with law. Although the motions did not set a firm date for staff to complete that work, the discussions contemplate that it would be done by the July 2024 Board meeting at the latest. That could result in effective regulations in Q3, though given the complexity and lack of Boad consensus year end is optimistic.
The current draft regulations being advanced cover three areas: (1) Risk Assessments; (2) Automated Decsionmaking, Profiling and AI; and (3) edits and additions to the current regulations on a variety of issues. We have already covered the assessment proposals here, and will post further on the most recent refinements. Board member Mactaggert (the force behind the ballot initiative that crated the underlying law) argued strenuously that the staff’s draft went beyond the scope of the statutory mandate and expressed concern that the proposal was out of step with Europe and Colorado and its overbreadth would create undue burdens on businesses without addressing what he say as the proper way to characterize privacy verses other potential harms beyond the scope of privacy. Professor de la Torre added that failure to have a consensus on proper scope created litigation risks that could derail and delay enforcement of the regulatory package. Mr. Le strongly disagreed on the scope issue and suggested a more narrow scope could cause him to vote against the package. Chairperson Urban and Mr. Worthe expressed the opinion that public comment would best direct how to further revise the draft regulations, noting the vast difference of opinions on scope and substance. The statements made during a short public comment period just before the votes reflected this divergence of opinions, with industry groups arguing that the draft was too far afield and employee and consumer group advocating an even broader and stricter approach. One area of controversy that is related to issue of appropriate scope, but which did not receive much discussion, is proposed new concept of “behavioral advertising” regulation, deemed to be a form of “extensive profiling,” which we discuss here. There is a lot more to unpack such as regulation of employee monitoring and of public places, use of personal data to train AI, use of technology to make or facilitate “significant decisions” (broadly defined to include things like access to groceries, which Mr. Mactaggart argued impacted use of technology to send ads or decide where to open stores). We will get into the weeds on all of that in the near future, but in short the debate is more on scope and triggers than on the need for advance notice of practices, opt-out of use and access to information, and how details on what out to be required of notice, opt-out and access. On these issues Mr. Mactaggart again urged closer conformity with the approaches take by Europe and Colorado. The staff’s presentation PowerPoint on these draft regulations is available here.
Of the amendments to the current regulations, the following are particularly noteworthy:
- Covered Entities:
- Not all non-profits are exempt.
- $25 Million revenue threshold increased to $27.975 Million.
- Consumer Rights:
- Any denial, in whole or in part, must explain how to file a complaint with the CPPA / Attorney General.
- Symmetry of steps applies to any opt-in, not just an opt-in after opt-out.
- More details on how to give notice of the right to access personal information more than a year old and how to process those requests.
- Must take steps to ensure deleted data stays deleted, and corrected data stays corrected, when new data is subsequently collected from a third party.
- Internal and external notice of consumer claims of inaccuracy that were not corrected (due to insufficient proof) required, unless request was fraudulent or abusive. This was in an early proposed draft but removed and has now returned.
- Consumer statements regarded contested accuracy of health data, which already are required, must be shared with recipients of that data if the consumer requests.
- A business must inform its source of personal data of correction requests (currently optional).
- There must be a way for consumers to confirm their sensitive personal information is correct. Currently this is not required for security reasons.
- The right to know is expanded to “provide a way for the consumer to confirm that the personal information the business maintains is the same as what the consumer believes it to be.”
- There must be a website signal indicating the choice setting if global privacy signals are indicated, and a way confirm the status of do not sale/share and limit sensitive personal data processing opt-out requests.
- Third party verification services cannot be used unless the business could not verify based on information it already has.
- Notices:
- Apps must links to privacy statements and opt-outs in-app.
- Notice of categories of business disclosure receipts narrowed.
- Requirements for how to give opt-out right notice added for connected devices and virtual reality.
- Requirements for how to give “limit my sensitive data” rights notice, previously proposed but withdrawn, added back.
- The “Your Privacy Choices” icon can be modified to be more readable or displayable (this is not in the drafts but added verbally during the meeting by staff)
- Service Providers and Contactors
- New affirmative obligations on service providers and contractors regarding deleted and deidentified data.
- Permitted processing purposes by service providers and contractors must be reasonably necessary and proportionate.
Professor de la Torre raised, as she has in the past, a request to revise the purpose limitation test in Section 7002 to more clearly match the tests under GDPR and the Colorado regulations, which was followed by a relatively contentious exchange with staff. Chairperson Urban noted that this remained an open issue that should be explored, but urged that it need not hold up the current draft.
The staff will now proceed to produce rulemaking file, including an initial statement of reasons to explain the intent and purpose of the draft provisions, for board review and approval. Thereafter, a Notice of Proposed Rulemaking based on that file will be published for public comment, and interested parties will have forty-five (45) days to file comments. The staff will consider modifications, which the board will have to vote on, and prepare and publish a further statement of reasons reflecting the public comments, and substantive comments must be published. Any modifications will be subject to a new fifteen (15) day public comment period. This process will be repeated until final regulations are approved by the board, which will then be subject to review and approval by the Office of Administrative Law (“OAL”) The OAL could send some regulations back for revision if it determines the CPPA exceeded its statutory authority. An infographic on the rulemaking process by the IAPP is here.
Also of interest was a report on enforcement and enforcement priorities, by Michael Macko, Deputy Director of Enforcement. Time ran before he could present the report, but in the version filed in advance of the meeting Mr. Macko reported that from July 6, 2023, to February 22, 2024 the CPPA had received 1,208 consumer complaints, each one of which is reviewed and evaluated. The percentage under investigation was not revealed. However, he listed the current enforcement priorities as privacy notices and policies, the right to delete, and implementation and processing of consumer request. All public-facing low hanging fruit.