On May 4-6, 2022, the California Privacy Protection Agency (“CPPA”) held by way of video convention a number of public pre-rulemaking stakeholder classes relating to the California Privacy Rights Act (“CPRA”). During the classes, stakeholders starting from privacy and cybersecurity specialists to commerce associations and California small enterprise house owners offered verbal feedback, insights and recommendations to the CPPA because it develops the forthcoming CPRA rules. The classes centered on a lot of points, together with automated decision-making, data minimization and function limitation, darkish patterns, customers’ rights (e.g., opt-out rights, limitation on the usage of delicate private data), and cybersecurity audits and threat assessments. Comments and positions taken amongst the stakeholders diverse. Some of the positions taken by stakeholders are summarized beneath:
- Automated decision-making. Many stakeholders expressed concern with respect to the scope of the time period “automated decision-making technology.” Some stakeholders expressed assist for a broad definition. Other stakeholders requested that the CPPA restrict the scope to know-how that produces a “legal or similarly significant effect,” (e.g., has a bearing on shopper’s credit score historical past). Stakeholders additionally recommended a risk-based, tiered method with stricter necessities for instruments that acquire and/or course of delicate data or conduct automated decision-making that may represent profiling (e.g., tenant screening algorithms to flag rental purposes).
- Data minimization and function limitation. Some stakeholders inspired the CPPA to offer sturdy and clear steerage on the CPRA’s requirement that companies disclose the needs for which the non-public data they acquire might be used, and are prohibited from accumulating extra classes of non-public data or utilizing the non-public data collected for extra functions which are “incompatible with the disclosed purpose for which the personal information was collected” with out giving extra discover. Stakeholders known as for steerage on what the CPPA considers to be “incompatible,” with some supporting a strict interpretation of the time period to incorporate functions not moderately anticipated by the common individual (e.g., invasive profiling unrelated to offering the services or products requested by the patron or voluntary sharing with legislation enforcement).
- Cybersecurity audits and assessments. Stakeholders usually expressed assist for requiring companies to endure cybersecurity audits and assessments. Some stakeholders urged the CPPA to make sure that the timing and frequency of threat assessments is acceptable to forestall and mitigate dangers to people earlier than a enterprise processes private data. Some stakeholders recommended that the CPPA require companies to make threat assessments out there to the general public. Other stakeholders cautioned the CPPA about offering clear however not overly prescriptive pointers, protecting, e.g., when assessments could be required, how assessments ought to look and the way they need to be carried out for compliance functions. Some stakeholders additionally requested the CPPA to leverage the necessities set forth by different legal guidelines, such because the Virginia Consumer Data Protection Act, Colorado Privacy Act and the EU General Data Protection Regulation, so multinational corporations can extra simply adjust to all of those necessities.
- Harmonization with different regulatory schemes and regulators: Many stakeholders opined that the rules ought to align with different regulatory schemes and urged the CPPA to collaborate with different state regulators to harmonize forthcoming necessities with these of different states to the best extent doable.
Following these classes, the CPPA will start the formal rulemaking course of however publication of ultimate rules will not be anticipated till July 2023.