On September 22, 2021, the California Privacy Protection Agency opened the next chapter under the California Consumer Privacy Protection Act (CCPA) by issuing a general invitation for public comments on areas for new rule-making.
The California Privacy Rights Act of 2020 (CPRA), which amends and extends the CCPA, requires the Agency to adopt regulations on a lengthy list of topics.[1] The Agency’s Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020 (Invitation) welcomes comments on any areas of potential rule-making, but highlights eight topics on which the Agency is particularly interested in receiving comments. All eight of these topics involve significant new rights and obligations added by the CPRA, which will become operative January 1, 2023:
1. Cybersecurity audits and risk assessments for processing that presents a significant risk to consumers’ privacy or security
The CPRA requires the Agency to issue regulations that impose two new obligations on businesses whose processing of consumers’ personal information presents “a significant risk to consumers’ privacy or security”: (a) performing annual cybersecurity audits and (b) submitting to the Agency “on a regular basis” a risk assessment with respect to their processing of personal information.[2]
The Invitation seeks comments on topics such as:
- When a business’ processing of personal information should be considered to involve a “significant risk to consumers’ privacy or security;”
- What should be included in the required annual cybersecurity audits;
- What should be included in the required risk assessments to be submitted to the Agency, and how frequently the risk assessments should be submitted; and
- When the “risks to the privacy of the consumer outweigh the benefits” of the processing, such that the processing should be restricted or prohibited.[3]
2. Consumers’ access and opt-out rights with respect to businesses’ use of automated decisionmaking technology
The CPRA requires the Agency to issue regulations “governing access and opt-out rights with respect to businesses’ use of automated decisionmaking technology, including profiling.” The CPRA indicates that the regulations should include requiring a business’ response to access requests to include “meaningful information about the logic involved in those decisionmaking processes” and to provide “a description of the likely outcome of the process with respect to the consumer.”[4]
The invitation seeks comments on:
- What activities should be considered “automated decisionmaking technology” or “profiling;”
- When consumers should be able to access information about use of automated decisionmaking technology, and what processes should be used to facilitate such access;
- What types of information businesses must provide in response to such access requests, including how businesses can provide “meaningful information about the logic involved in automated decision making; and
- The scope of consumers’ opt-out rights with respect to automated decisionmaking, and what processes should be used to facilitate such opt-outs.
3. The Agency’s right to audit businesses’ compliance with the CCPA
The CPRA created the Agency and empowers the Agency to audit businesses’ compliance with the CCPA.[5] The CPRA also requires the Agency to develop regulations to define the scope and process for exercising its audit rights.[6] In this regard, the Agency has requested comments to help define the scope of its audit authority, the processes it should follow in exercising its audit authority and in selecting businesses to audit, and the safeguards that it should use to protect personal information from disclosure to an auditor.
4. Consumers’ new right to correct their personal information
The CPRA gives consumers a new right to request correction of inaccurate personal information.[7] The Agency has requested comments about rules and procedures to enable consumers to make such requests, including:
- how frequently and under what circumstances a consumer may make correction requests;
- how a business must respond to correction requests, including what steps the business may take to prevent fraud;
- when a business should be exempted from the obligation to honor a correction request because responding would be “impossible, or involve a disproportionate effort” or because the relevant information is already accurate; and
- the process for allowing a consumer to provide a written addendum to their record with the business, if the business rejects their correction request.[8]
5. Standards for opt-out preference signals, when applicable
The CCPA allows consumers to opt out of the “sale” of their personal information,[9] and the CPRA will add a new right for consumers to opt out of the “sharing” of their personal information for cross-context behavioral advertising. [10] Additionally, the CPRA creates new rights for consumers to limit the use or disclosure of “sensitive personal information,”[11] as we will discuss further in the next section.
The CCPA requires businesses to implement certain mechanisms to allow consumers to exercise their opt-out right, such as by providing a conspicuously labeled opt-out link on their websites. However, the CPRA will give businesses the alternative of allowing consumers to exercise their opt-out rights (and their new rights to limit use or disclosure of sensitive personal information) through an “opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications” to be created through the Agency’s rule-making process.
The Agency has requested comments about rules and procedures to allow consumers to limit the use and disclosure of their sensitive personal information. The Agency also seeks comments about technical and logistical requirements for businesses in handling such requests, including:
- What requirements and technical specifications should define an opt-out preference signal sent by a platform, technology, or mechanism, to indicate whether the consumer is opting out of sale, opting out of sharing, and/or seeking to limit use or disclosure of sensitive personal information;[12]
- What technical specifications should be established for an opt-out preference signal to specify that the consumer is under 13 years of age, or at least 13 years of age but under 16 years of age;[13]
- How businesses should process consumer requests expressed through opt-out preference signals; and
- What steps businesses should take to provide consumers who have expressed an opt-out preference via an opt-out preference signal with the opportunity to consent to the sale or sharing of their personal information and/or the use and disclosure of their personal information.[14]
6. Consumers’ new right to limit the use and disclosure of “sensitive personal information”
As noted above, the CPRA allows consumers to direct a business that collects their sensitive personal information to limit its use of their sensitive personal information to that use “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform certain services and as authorized by the regulations. However, the CPRA provides that this right does not apply to sensitive personal information that is “collected or processed without the purpose of inferring characteristics about a consumer;” rather, such information would be treated as regular personal information under the CCPA.[15]
Beyond the topics discussed in the prior section, the Agency also seeks comments about when these exceptions should be deemed to apply:
- What constitutes “sensitive personal information” that should be deemed “collected or processed without the purpose of inferring characteristics about a consumer,” such that it is not subject to the right to limit use and disclosure; and
- What use or disclosure of a consumer’s personal information should be permissible notwithstanding the consumer’s direction to limit the use or disclosure of that information.[16]
7. “Specific pieces of information” to be provided in response to a request to know
The CCPA currently requires businesses to provide a consumer, upon request, with a copy of the specific pieces of personal information obtained from the consumer within the preceding 12 months.[17] However, with respect to personal information collected on or after January 1, 2022, consumers may request that the business provide such information beyond that 12-month window, unless this “proves impossible or would involve a disproportionate effort” for the business.[18]
The Agency seeks comments about what standards should determine whether providing information beyond this 12-month window is “impossible” or “would involve a disproportionate effort.”
The Agency seeks input on whether changes or updates should be made to defined terms in the CCPA, such as “personal information,” “sensitive personal information,” “de-identified” and/or “unique identifier,” “designated methods for submitting requests,” “intentionally interacts,” “precise geolocation,” “specific pieces of information obtained from the consumer,” “law enforcement agency-approved investigation,” and “dark patterns.”
Concluding thoughts and next steps
The Invitation provides a helpful refresher of many—but certainly not all—of the open issues and unanswered questions to be addressed through this new rule-making process. The Invitation also serves as a reminder that many of the new requirements arising from the CPRA have not yet been written.
Interested parties may submit their comments by Monday, November 8, 2021. The public also will have the opportunity to comment on draft regulations when the Agency proceeds with a notice of proposed rulemaking action. Additional information on the rule-making process is available on the Agency’s regulations page.
____________________________
[1] Cal. Civ. Code §1798.185.
[2] Cal. Civ. Code §1798.185(a)(15).
[3] Cal. Civ. Code §1798.185(a)(15)(B).
[4] Cal. Civ. Code §1798.185(a)(16).
[5] Cal. Civ. Code §1798.199.65.
[6] Cal. Civ. Code §1798.185(a)(18).
[7] Cal. Civ. Code §1798.106 and 1798.130.
[8] Cal. Civ. Code §1798.185(a)(8).
[9] Cal. Civ. Code §1798.120(a).
[10] The CPRA defines “sharing” as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” Cal. Civ. Code §1798.140(ah).
[11] The CPRA defines “sensitive personal information” generally to include categories of personal information that are likely to present a heightened risk of identity theft (e.g., social security, driver’s license, state identification card, or passport number; or account log-in, financial account, debit card, or credit card number in combination with any required code or credentials allowing access to an account); precise geolocation data; race or ethnic origin, religious or philosophical beliefs, or union membership; contents of a consumer’s electronic communications (unless the business is the intended recipient); genetic data; biometric data; health data; sex life or sexual orientation. Cal. Civ. Code §1798.140(ae).
[12] Cal. Civ. Code §1798.185(a)(19)(A).
[13] Cal. Civ. Code §1798.185(a)(19)(B).
[14] Cal. Civ. Code §1798.185(a)(20).
[15] Cal. Civ. Code §1798.121(d).
[16] Cal. Civ. Code §1798.121(a).
[17] Cal. Civ. Code §1798.130(a)(2)(B).
[18] Id.