On October 28 and 29, 2022, the California Privacy Protection Agency (CPPA) conducted a board meeting to discuss potential changes to the California Privacy Rights Act (CPRA). The CPPA solicited feedback from the public during the comment period that closed on August 23, 2022. The CPPA made changes to the CPRA regulations because of the large reaction from the public during the comment period, which produced thousands of pages of feedback.

Key elements discussed and modified:

• Global Privacy Controls (GPC): Opt-Out Preference Signal
  • Businesses are not required by the CCPA to use software that supports or can identify GPC from customers. However, the CPRA will mandate that organizations acknowledge and abide by the data sharing preferences conveyed via GPC.
  • The CPPA discussed scenarios where a consumer’s GPC may be contradictory to what they’ve opted into. The CPPA board concluded that, in order to avoid needless ambiguities, clarifying language will need to be inserted into the CPRA. These modifications will be released in the future.
• Sensitive Personal Information
  • With the new class of Sensitive Personal Information (SPI) identified by CPRA, it is required that businesses tell consumers what SPI will be collected and how it will be used prior to collection so consumers can limit the use of their data.
  • The list of permitted uses for SPI processing that enterprises may pursue without having to provide customers the option to restrict such use was considered by the CPPA board. The CPPA board voiced worries that the list was not sufficiently comprehensive and that this section of the rule needed more consideration before potential modification.
• Data Minimization
  • CPRA draft regulations require organizations collecting consumer information to ensure the collection is “reasonably necessary and proportionate to either the purposes for which it was collected or another disclosed purpose that is compatible with the context in which the personal information was collected.” To put it plainly, consumer data cannot be gathered, used, or stored without first informing AND getting the consumer’s consent for the identified use.
  • For businesses and customers to more clearly understand what precisely has to be included in consumer disclosure letters, the CPPA board determined that the existing draft CPRA regulations need clarifying wording to be included. The board decided that the revised regulation needed to be written in a simple and understandable manner.

Within the next two weeks, the CPPA board intends to release revised proposed rules, following which a new public comment period will start. Following that comment period, a final draft of the regulations will be reviewed by the CPPA board and then, by the end of this year, by the California Office of Administrative Law.

Thoughts from Dan Clarke, President of Truyo

 “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements” (Kagan, 2022). This displays at least some accountability of the delays and perhaps a bit of a grace period to enforcement, probably limited to those items that have been in question or changed, but at least it is something. It is unknown if they will meet the timeline for the California Office of Administrative Law. If these deadlines are met, the CPRA will go into effect on schedule on January 1, 2023, but I am skeptical they will be finalized before February.

Truyo will keep you apprised of all updates from the CPPA as CPRA moves closer to the anticipated effective date.

Citations

Kagan, O. (2022, November 8). The new, new, new, new, new CPRA REGS: A Primer. JD Supra. Retrieved November 8, 2022, from https://www.jdsupra.com/legalnews/the-new-new-new-new-new-cpra-regs-a-6533720/