On March 29 & 30, the California Privacy Protection Agency (CPPA) which governs California Privacy under both CCPA and CPRA had what Truyo president Dan Clarke dubs the most meaningful meeting thus far, foreshadowing the agency’s upcoming priorities. Here are his expert thoughts on each of the categories discussed.

Pay Particular Attention to Global Opt-out Signals

The GPC is still in a nascent state but clearly a priority for the CPPA and the AG, as reflected in the session headed by Stacey Schesser. As Supervising Deputy AG, she has often led the office in Privacy enforcement and clearly signaled that all companies that collect consumer personal information need to offer an easy “global opt-out option for consumers.”

Make Exercising Consumer Rights Easy

The CCPA and CPRA both guarantee consumers’ rights to know, delete, and transfer personal information and Lisa Kim emphasized that this should be a priority for businesses. Don’t make consumers go digging for how to exercise these rights. I think this, in particular, is an easy test for enforcement – has a site made it conspicuous and easy for a consumer to exercise their rights?

Avoid Even the Appearance of Dark Patterns

Covered by multiple speakers, Dark Patterns are clearly an enforcement priority for California and at the Federal level, as evidenced by speakers Dr. Jennifer King of Stanford and Lior Strahilevitz from the University of Chicago. Interestingly, they focused on “mild dark patterns” which are according to them, more insidious because they are less obvious and thus more likely to be overlooked by a consumer. They recommended the CPPA have a subject matter expert for this field in particular.

Make Notices Simple for Consumers

Lorrie Faith Cranor of Carnegie Mellon talked about UI considerations and how to improve privacy notices to make them shorter and more clear.

Be Careful That Your AI Isn’t Racially Profiling

Using AI in Automated Decision Making is becoming more commonplace and effective, but make sure you are not inadvertently modeling a community class via profiling, especially in regards to protected classes.

Privacy Impact Assessments Are Important

New for most US companies, but already required by GDPR, Privacy Impact Assessments are crucial not only to comply with CPRA (and other upcoming state laws such as Virginia and Colorado), but they are extremely important to completely understand your own environment.

NIST Cybersecurity Framework is a Solid Basis

Rather than blaze a new trail, speakers emphasized that the NIST framework in particular forms an excellent basis for security hygiene. In addition, they might consider ISO 270XX, NIST SP800-53/171, and/or PCI-DSS, but should to stick to well-known and well-regarded international standards.