Privacy & Information Security Law Blog

On May 4-6, 2022, the California Privacy Protection Agency (“CPPA”) held via video conference several public pre-rulemaking stakeholder sessions regarding the California Privacy Rights Act (“CPRA”). During the sessions, stakeholders ranging from privacy and cybersecurity experts to trade associations and California small business owners provided verbal comments, insights and suggestions to the CPPA as it develops the forthcoming CPRA regulations. The sessions focused on a number of issues, including automated decision-making, data minimization and purpose limitation, dark patterns, consumers’ rights (e.g., opt-out rights, limitation on the use of sensitive personal information), and cybersecurity audits and risk assessments. Comments and positions taken amongst the stakeholders varied. Some of the positions taken by stakeholders are summarized below:

• Automated decision-making. Many stakeholders expressed concern with respect to the scope of the term “automated decision-making technology.” Some stakeholders expressed support for a broad definition. Other stakeholders requested that the CPPA limit the scope to technology that produces a “legal or similarly significant effect,” (e.g., has a bearing on consumer’s credit history). Stakeholders also suggested a risk-based, tiered approach with stricter requirements for tools that collect and/or process sensitive information or conduct automated decision-making that would constitute profiling (e.g., tenant screening algorithms to flag rental applications).

• Data minimization and purpose limitation. Some stakeholders encouraged the CPPA to provide robust and clear guidance on the CPRA’s requirement that businesses disclose the purposes for which the personal information they collect will be used, and are prohibited from collecting additional categories of personal information or using the personal information collected for additional purposes that are “incompatible with the disclosed purpose for which the personal information was collected” without giving additional notice. Stakeholders called for guidance on what the CPPA considers to be “incompatible,” with some supporting a strict interpretation of the term to include purposes not reasonably expected by the average person (e.g., invasive profiling unrelated to providing the product or service requested by the consumer or voluntary sharing with law enforcement).

• Cybersecurity audits and assessments. Stakeholders generally expressed support for requiring businesses to undergo cybersecurity audits and assessments. Some stakeholders urged the CPPA to ensure that the timing and frequency of risk assessments is appropriate to prevent and mitigate risks to individuals before a business processes personal information. Some stakeholders suggested that the CPPA require businesses to make risk assessments available to the public. Other stakeholders cautioned the CPPA about providing clear but not overly prescriptive guidelines, covering, e.g., when assessments would be required, how assessments should look and how they should be carried out for compliance purposes. Some stakeholders also asked the CPPA to leverage the requirements set forth by other laws, such as the Virginia Consumer Data Protection Act, Colorado Privacy Act and the EU General Data Protection Regulation, so multinational companies can more easily comply with all of these requirements.

• Harmonization with other regulatory schemes and regulators: Many stakeholders opined that the regulations should align with other regulatory schemes and urged the CPPA to collaborate with other state regulators to harmonize forthcoming requirements with those of other states to the greatest extent possible.

Following these sessions, the CPPA will begin the formal rulemaking process but publication of final regulations is not anticipated until July 2023.