In August, the California Privacy Protection Agency (CPPA) released its initial draft regulations for cybersecurity audits and risk assessments under the California Privacy Rights Act (CPRA). While the CPPA has not yet commenced its formal rulemaking process for these regulations, once finalized, businesses will be required to perform annual cybersecurity audits and regularly submit risk assessments to the CPPA related to their processing of personal information. Last week, at the “Privacy. Security. Risk. 2023” conference hosted by the International Association of Privacy Professionals (IAPP), Executive Director of the CPPA, Ashkan Soltani, indicated that the board will begin its discussions about these draft regulations at its yet-unscheduled November meeting. However, before these regulations become effective, the draft must go through the lengthy California regulatory process.

As currently drafted, the risk assessment regulations focus on privacy-related risks in the use of artificial intelligence and automated decision-making technologies. Note: risk assessments must be conducted and submitted to the CPPA where the business’ processing of personal information presents a significant risk to consumers’ privacy or security. What exactly does that mean? The draft regulations provide some examples, such as selling or sharing personal information, processing sensitive personal information, and processing the personal information of consumers to train AI or automated decision-making technologies.

As part of the lengthy rulemaking process, the CPPA will request public comment to the draft and then subsequently summarize the comments and respond to each one. After processing all of these public comments, the CPPA will compile and prepare its final rulemaking package. This package will include the text of the final regulations, documentation and materials relied upon in the drafting of the regulations, a final statement of reasons with attached appendices containing summaries and responses, and economic and fiscal impact statements. But when will this process really begin?

Well, if we look to the timeline and process for issuing the final CPRA regulations for an estimate, which took a little less than 250 days, the last round of cybersecurity audit and risk assessment regulations will likely go into effect in August or September 2024. However, since these regulations are narrower and cover less subject matter, developing this rulemaking package may not require as much time as the CPRA regulations.

This week, the California Superior Court ruled that the California Privacy Protection Agency (CPPA) cannot begin enforcement of the California Privacy Rights Act (CPRA) until March 2024. The ruling stems from a lawsuit filed by the California Chamber of Commerce which argued that state businesses would not have enough time to prepare for the upcoming changes and enforcement thereof.

Judge James P. Arguelles held that the CPRA included plain language requiring the CPPA to have final regulations in place by July 1, 2022, with enforcement allowed to begin a year later. The final rules, which outline how businesses should handle consumer requests to exercise their privacy rights and various other compliance standards, were not issued until March 29, 2023. Judge Arguelles said in his ruling that “[t]he very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.”

A recent report issued by Common Sense Media, a non-profit organization focused on supporting high quality media and digital resources, found that almost half of the products or apps used by consumers are not in compliance with these California privacy laws.   

Ashkan Soltani, Executive Director of the CPPA, noted in a statement after the ruling that “significant portions” of the privacy protections established by Proposition 24, nevertheless, can be enforced as of July 1.  Soltani said, “Although we’re disappointed the court granted the Chamber’s request to delay enforcement of portions of the regulations enacted earlier this year [i.e. CPRA], the Agency remains committed to advancing the privacy rights of Californians and will take the appropriate next steps to safeguard the protections Californians overwhelmingly supported at the ballot box” pursuant to the California Privacy Protection Act passed before the CPRA. While businesses have some additional time to get a handle on CPRA requirements, the CPPA will begin enforcement of the Privacy Act which has been in effect since 2020.

Other states continue to follow California’s lead. On June 30, 2023, the Delaware General Assembly passed HB 154, which is a CCPA-like comprehensive privacy law that will take effect on January 1, 2025, and applies to businesses that process personal data of more than 35,000 consumers and does not exempt non-profit organizations. Also note that the consumer privacy laws in Colorado and Connecticut took effect on July 1.

The California Privacy Protection Agency (CPPA) Board will hold its third public hearing on February 3, 2023, at 10 am PST.

The meeting will open with the Chairperson’s Update, during which CPPA Chairperson Jennifer Urban will likely address the status of the delayed California Privacy Rights Act (CPRA) regulations. Chairperson Urban is also a Clinical Professor of Law, the Director of the Samuelson Law, Technology & Public Policy Clinic, and the Co-Director of the Berkeley Center for Law and Technology at the UC Berkeley School of Law. Hopefully, we will see further guidance on the technical requirements of the CPRA and the implementation standards.

Long-awaited amendments and the possible adoption of final CPRA rules are on the agenda. The agenda includes preliminary rulemaking activity for new regulations on risk assessments, cybersecurity audits, and automated decision-making. The fact that the CPPA is undertaking other rulemaking activities may indicate that the Board hopes to adopt the final CPRA regulations at this meeting. Fingers crossed. Members of the public can join the meeting on Zoom.

Members of the public attending will be given the opportunity to comment on each agenda item before any Board action. To view the agenda and learn more about how you can attend, click here

Readers of this blog know that we’ve been closely following the California Privacy Rights Act (CPRA) rulemaking process. California passed the law in 2020 to update the California Consumer Privacy Act of 2018 with additional consumer rights and business obligations. The CPRA also established a new government agency, the California Privacy Protection Agency (CPPA), responsible for enforcing the law and drafting regulations.

Unfortunately, writing detailed regulations while balancing the work of breaking ground on a new agency has most likely overwhelmed the CPPA. The CPRA is now effective as of the first of the year, and businesses are still working on compliance and implementation from the proposed regulations. While much of the draft regulations are likely to remain the same, there are some technical compliance points that companies have to figure out without explicit guidance.

For example, the proposed regulations require businesses to treat “Do Not Track” browser signals as opt-out requests from the consumer. However, processing a “Do Not Track” signal differs from processing specific CPRA data requests. Typical CPRA requests include the consumer’s name and contact information, which the business can check against its records. “Do Not Track” signals only come bundled with specific technical identifiers (such as IP address and operating system) that aren’t necessarily associated with a consumer in the business’s records. The conditions change again when the consumer is known to the industry and has opted into tracking, making the technical aspects of compliance even more complicated. Companies will need to develop a strategy to address this requirement (unaided by an industry standard for responding to “Do Not Track” signals.) Faced with the January 1 deadline for CPRA compliance, the industry is now hewing as close to the EU’s General Data Protection Regulation (GDPR) controls and implementation as possible. The CPPA may continue to let the standard develop parallel to the GDPR as the path of least resistance for both businesses and regulators.

Readers of this blog know that we’ve been closely following the California Privacy Rights Act (CPRA) rulemaking process [view related post]. California passed the law in 2020 to update the California Consumer Privacy Act of 2018 with additional consumer rights and business obligations. The CPRA also established a new government agency, the California Privacy Protection Agency (CPPA), responsible for enforcing the law and drafting regulations.

Unfortunately, writing detailed regulations while balancing the work of breaking ground on a new agency has most likely overwhelmed the CPPA. The CPRA is now effective as of the first of the year, and businesses are still working on compliance with and implementation of the proposed regulations. While much of the draft regulations is likely to remain the same, there are some technical compliance points that companies have to figure out without explicit guidance.

For example, the proposed regulations require businesses to treat “Do Not Track” browser signals as opt-out requests from the consumer. However, processing a “Do Not Track” signal differs from processing specific CPRA data requests. Typical CPRA requests include the consumer’s name and contact information, which the business can check against its records. “Do Not Track” signals only come bundled with specific technical identifiers (such as the IP address and operating system) that aren’t necessarily associated with a consumer in the business’s records. The conditions change again when the consumer is known to the industry and has opted into tracking, making the technical aspects of compliance even more complicated. Companies will need to develop a strategy to address this requirement (unaided by an industry standard for responding to “Do Not Track” signals.)

Faced with the January 1 deadline for CPRA compliance, the industry is now hewing as close to the EU’s General Data Protection Regulation (GDPR) controls and implementation as possible. The CPPA may continue to let the standard develop parallel to the GDPR as the path of least resistance for both businesses and regulators.

As companies hustle to follow the new California Privacy Rights Act (CPRA) regulations, they’ve hit a substantial hiccup: there aren’t any yet. The California Privacy Rights Agency (CPPA), the newly-created body with administrative authority over the CPRA’s implementation, has yet to release its finalized regulations. The CPRA takes effect on January 1, 2023, and covered businesses are in the final stretch of completing their compliance programs.

The CPPA has released two draft proposals so far, and the more recent draft is in a public consultation period until November 21, 2022. To make matters even more opaque, the CPPA removed several requirements from the first draft to “simplify implementation at this time,” leaving businesses guessing as to which conditions they will eventually need to follow. Many of these proposed rules define technical requirements for websites and mobile applications, so companies will need a runway to achieve a seamless implementation. Luckily, the CPPA has signaled that it will give businesses a soft grace period before pursuing significant enforcement actions. The CPPA’s most recent draft proposal says that it may “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.” Responsible businesses, though, should proceed as if the most recent draft regulations are the law and plan to update once the final draft is released. Otherwise, they might find themselves scrambling to push out complicated technical updates against the January 1, 2023 deadline.

Last week, the California Privacy Protection Agency (CPPA) released updated California Privacy Rights Act (CPRA) draft regulations and a summary of the changes. The regulations remain in the proposal stage and it is unclear when to expect finalized rules, although it is likely that this version will include near final requirements and prohibitions.

While most of the changes from the previous incarnation are technical, the modified proposal also softens one of the more revolutionary requirements: universal opt-out signals. Previously, the regulations required all CPRA-subject businesses to treat browser-based opt-out settings as the consumer’s signaled consent. They also required companies to add a dynamic icon to their website to indicate whether they had responded to the signal. Under the modified rules, businesses will only need to respond to browser opt-out signals if they sell or share personal information and have the option to display the status icon, but no longer are required to.  Instead, companies can offer consumers choices about the cookies and other tracking technology used on their website, which offers greater transparency for the consumer.

The modified rules also throw businesses a bone on a few other issues. For example, the CPPA removed some statutory privacy and security requirements for business service providers because the CPRA already requires certain provisions in service contracts. The CPPA reworked other rules to “simplify implementation at this time,” so that companies would still be wise to prepare for eventual compliance without the rush of meeting the end-of-year deadline. Some of these delayed requirements include disclosing in their online privacy policies the identities of third-party data processors and controllers and technical requirements for implementing the ”Right to Limit” and financial incentive programs. 

The updated rules clarify that enforcement actions against companies that employ “dark patterns,” or interfaces that steer consumers toward opting in (or not opting out), do not require showing the business’s intent. The intent is still a “factor to be considered” at CPPA’s discretion, but offenses in this area pose strict liability against the companies using these technologies.  The Board of the CPPA will meet in public sessions on October 28 and 29. See the modified rules and explanations.

On Friday, the newly created California Privacy Protection Agency (CPPA) issued its first proposed regulations under the California Privacy Rights Act (CPRA).

The proposed rules have drawn criticism for requiring companies to treat browser-based “Do Not Track” signals as consumers asserting their opt-out rights. This rule came as a surprise to many observers because, as passed, the statute would have given companies the option to honor or ignore these signals. The draft would additionally require businesses to serve their disclosures in “eye-catching” colors, another area not explicitly prescribed by the CPRA statute.

Perhaps to balance the scales, the proposal also includes a new term of art, “disproportionate effort,” describing situations in which the burden of responding to a consumer request would “significantly outweigh” the consumer’s benefit. A business claiming this exception must give the consumer a detailed explanation that includes enough facts to provide a “meaningful understanding” as to why the business cannot honor the consumer’s request. This exception may also insulate companies from consumers who might abuse the request process. A business could likely claim “disproportionate effort,” for example, if a group of protestors coordinated to overwhelm it with requests.

It seems clear that the CPPA aims to make privacy-by-default the easiest option for California companies. Companies that collect and sell minimal personal information from consumers and respect “Do Not Track” signals will find it easy to comply with these proposed regulations. On the other hand, companies that wish to engage in data brokering would need to jump through significantly more regulatory hurdles.

The CPPA will likely address other key CPRA aspects, such as dark patterns, algorithmic decision making, and child privacy in future proposals. Click here to view the full proposal.

With the passage of the ballot initiative known as the Consumer Privacy Rights Act (CPRA or Act) in California, we are presenting several blog articles on different topics related to this new law. Last week, we wrote about the newly-added definition of sensitive information. This week we will focus on some key effective dates in the CPRA along with what it will mean to have a separate privacy rights enforcement agency.

CPRA Effective January 1, 2023

The good news is that the CPRA’s effective date is January 1, 2023, so businesses have some time to assess and get ready for the new law while the California Consumer Privacy Act (CCPA) is still in effect and enforceable. The CPRA functions like an overlay to CCPA. Once the CPRA takes effect in 2023, it will become the privacy law of the land in California.

There is one exception to the 2023 effective date and that is with respect to the right of access. The CPRA’s right to know or right of access applies to personal information collected by a business on or after January 1, 2022. The exemptions for employee information and business-to-business information remain in place until January 1, 2023. The CPRA also provides additional rulemaking authority, which may also take place prior to the effective date.

Creation of the California Privacy Protection Agency

Section 24 of the CPRA creates the California Privacy Protection Agency (CPPA or Agency), established in the state government of California. The Agency is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act. Section 1798.199.10(a) states that: “[t]he Agency shall be governed by a five-member board, including the Chair. The Chair and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.” Subsection (b) states that the initial appointments to the Agency shall be made within 90 days of the effective date of the Act.

The board will have the authority to appoint an executive director and the Agency will have broad powers to protect “the fundamental privacy rights of natural persons with respect to the use of their personal information.” Section 1798.199.40 (c). The CPRA allows individuals, businesses, customers, advocacy groups and vendors to file complaints with the Agency regarding the privacy practices of a business. The Agency will have the power to investigate complaints, to hold hearings to determine if a violation has occurred, and to issue orders to: cease and desist, and to pay an administrative fine up to $2,500 for each violation or up to $7,500 for each intentional violation as well as each violation involving the personal information of minor consumers. The Agency also has the power to bring a civil action in the superior court for the purpose of collecting unpaid administrative agency fines.

The Agency also is charged with providing guidance to both consumers and businesses regarding their rights and responsibilities under the CPRA. One final note is that Section 1798.199.100 states that the Agency “shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title.”

The California Privacy Protection Agency (CPPA) recently met to discuss automated decision-making technology, privacy risk assessments and cybersecurity audits under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). However, the CPPA also decided to step outside the anticipated agenda and discuss additional revisions to the existing regulations. Once again. changes are on the horizon. What kind of changes? Here are the key things that would change under the CCPA for your organization’s online privacy policy:

  • “Meaningful Understanding” of Sources and Sales/Sharing with Third Parties: the draft revisions would add a requirement for privacy policies to provide “meaningful understanding” of the sources that the business uses to collect personal information and the categories of third parties to which the business shares or sells personal information.
  • Clarifying Disclosures to Service Providers and Contractors: the draft revisions would remove an ambiguity related to the definition of a “third party” and require businesses to explicitly identify the categories of personal information disclosed to a service provider or contractor in the last 12 months.
  • Privacy Policy Links for Mobile Applications: the draft revisions would require mobile apps to include a link to their privacy policies in the settings menu of the app. This link would be in addition to the link on the website homepage and the app store download page.

After the CPPA finalizes the draft revisions, the proposed rule changes will be published for a 45-day public comment period. However, the CPPA did not provide an anticipated start date for that comment period yet.