Californian Regulator Tweaks and Clarifies Privacy Rules
Table Of Contents:
December was a milestone month for California’s data privacy watchdog as it moved a set of proposed regulatory revisions into the public comment stage. The revisions cement some of the thinking that has made California one of the pioneers in regional privacy law in recent years. And they provide some much-needed clarity for businesses operating in the state.
A Brief History of Californian Privacy Regulations
The story of these revisions begins in November 2020 with voter approval of Proposition 24, a ballot initiative that produced the California Privacy Rights Act (CPRA). This law amended the 2018 California Consumer Privacy Act (CCPA).
The CCPA had introduced consumer privacy protections – including the right to know what personal information a business collects about them and to request its deletion, and the right to opt out of the sale of their information. The CPRA added more protections, including the right to restrict use of personal information and to correct inaccurate records. It also expanded the CCPA’s “do not sell” mandate about consumer data to cover data sharing. Finally, Prop 24 created the California Privacy Protection Agency (CPPA).
This was a separate authority with oversight into administering and enforcing the CCPA; a job formerly handled solely by the attorney general’s office.
In July 2022, the CCPA began making rules to adopt those CPRA regulations, harmonising the CCPA and CPRA. It introduced the revised regulations that November. They were approved on March 29 by the Office of Administrative Law, but were immediately challenged by the Chamber of Commerce in court. It argued that final regulations were supposed to have been agreed by July 1, 2022, with enforcement to happen no sooner than a year after this point, and asked the court to stay the regulations until a year after their approval (March 29 2024).
The CCPA hasn’t been sitting on its hands while it waits for the injunction to expire. On December 1 it introduced some new proposed revisions to the CCPA regulations. It is this set of proposals that it discussed at a board meeting on December 8 (agenda item three) and then motioned on to its next stage as it enters the official rule making process.
Unpacking the Latest Proposed Revisions
The latest proposed revisions are mostly uncontroversial, explains Cobun Zweifel-Keegan, DC managing director of the International Association of Privacy Professionals (IAPP).
“Most of these are not creative departures by the agency,” he tells ISMS.online. “I think they’re mostly meant to be clarifying and updating standards to make things in keeping with the changes the legislature made.”
Clarifying rules were expected to help with the enforcement of both the CCPA and the CPRA, he continues.
“The new law very explicitly empowers the CPPA to clarify certain standards that are not specifically stated in the law itself,” Zweifel-Keegan adds.
Odia Kagan, partner at legal firm Fox Rothschild LLP, calls the proposed revisions the “new, new regs.” They clarify points on which there wasn’t a common consensus, and focus on nuances in areas such as consumer consent.
“There are new examples of what doesn’t constitute consent,” she tells ISMS.online.
For example, the revisions explicitly state that closing a pop-up window that asks for permission to collect and use data rather than explicitly clicking a “yes” button doesn’t indicate consent. It also warns about misleading techniques like putting countdown timers next to consent choices to panic users.
Plain Speaking, Please
Also notable is a focus on clear language. The proposed revisions require plain language that warns businesses to describe the categories of sources from which data is collected, along with third parties with which it might be shared. As the CCPA details in its explanation of the proposed revisions, consumers need a “meaningful understanding” of where companies obtain their personal data.
Tweaks like this will help to make the CCPA more consumer-friendly, explains Kagan.
“If you say, ‘we collect your protected classifications,’ nobody understands what that is,” she says.
Defending the Right to Delete
Perhaps one of the most meaningful proposed revisions affects the right to delete information. It mandates that both businesses and their service providers and contractors ensure that information remains deleted.
“That’s interesting, because the stuff that you get from data brokers is under the magnifying glass now – especially because the FTC just issued two decisions relating to data brokers and the information you get from them,” says Kagan.
These decisions, both issued in January after the CPPA’s proposed rule revisions, related to precise location data sold by X-Mode Social and InMarket Media.
Keeping Pace with Tech Innovation
There are plenty of other clarifying revisions in the CPPA’s proposals, some of which seem strangely specific. For example, one warns that businesses collecting data in augmented or virtual reality (AR/VR) must warn the consumer before they enter the AR/VR environment. This was reintroduced, after being omitted previously to simplify implementation. This is not surprising, though, as the agency’s role in part is to create regulations that keep privacy laws relevant in a rapidly evolving tech landscape that incorporates such innovations.
This need to keep pace with technology development applies particularly to another ongoing rule-making process focused on automated decision making, which will see a separate set of regulations from the CPPA.
“There’s more clarification needed in those situations like automated decision-making technology,” says Zweifel-Keegan. “It is really just one small rule in the statute but could become this whole multi-page page set of rules helping to explain what requirements are in place.”
The CPPA is also working on two more sets of rules in risk assessment and cybersecurity. As it pushes December’s “new new” regulations from the spitballing stage into official rule making territory. It still has plenty of work to do – and those doing business in California must keep a close eye on what it does.
What can businesses do as they track these ongoing changes? In times of uncertainty, look to well-established best practices that will get you close – or all the way – to where you will need to be when the rule-making process is over.
Standards such as ISO 27001 for security management, and its extension ISO 27701 (which lays the groundwork for effective privacy information management systems) are solid foundations for compliance. They will prepare businesses to meet emerging standards for managing and protecting consumer data as they appear.