Privacy Law
May 4th-6th CPPA Stakeholder Meetings Takeaways – By Natalie Marcell
The California Privacy Protection Agency (CalPPA) held pre-rulemaking stakeholder sessions that were open to the public from May 4th-6th (link to Meeting Records and Agenda).
During these sessions, stakeholders provided verbal comments and suggestions to the CalPPA related to the forthcoming CCPA regulations. The stakeholder sessions focused on a number of issues summarized below:
- Automated decision making: Several stakeholders expressed an overall concern with respect to the term “automated decision-making technology.” Several stakeholders requested that the CalPPA limit the scope of forthcoming regulations pertaining to automated decision making technology. Other stakeholders expressed support for a broad definition of “automated decision-making technology.” Some stakeholders requested that the regulations: adopt a risk based approach and only regulate automated decision making systems that process sensitive PI or present a high risk; that they only cover fully automated systems; and that they not require businesses to reveal trade secrets, proprietary information, or algorithms associated with the automated decision making technology.
- Data minimization and purpose limitation: The CPRA indicates that businesses cannot collect additional categories of PI or use PI for purposes that are “incompatible” with the disclosed purpose. Comments presented to the CalPPA included the request for guidance on what is considered “incompatible” with the original purpose. Suggestions were made that the CalPPA look to the EU General Data Protection Regulation (GDPR) for guidance.
- Dark patterns: Recommendations included that the CalPPA adopt the term “deceptive designs”, “manipulative designs” or a similar term to more clearly refer to harmful user interfaces. Concerns expressed that the current definition of “dark pattern” is unclear and unenforceable.
- Opt out preference signals: Stakeholders expressed disagreement as to whether the CCPA (as amended by the CPRA) requires businesses to fulfill requests received from Global Privacy Controls as valid opt out requests submitted under CCPA. Several stakeholders urged the CalPPA to address conflicting global privacy controls requirements and inconsistencies that could result from signals sent from different platforms or browser or device settings. Stakeholders argued that the anticipated regulations should make it as easy as possible for consumers to exercise their rights including opt out rights using mechanisms such as global privacy controls.
- Cybersecurity audits and risk assessments: There was general support for requiring cybersecurity audits and assessments. There was also a push for the CalPPA to provide clear requirements on when audits and risk assessments are triggered, how they should be performed, and the frequency of their performance. Requests were made for the CalPPA to provide sample templates and for the CalPPA to leverage existing models under the GDPR and the framework of the National Institute of Standards and Technology (NIST). Some suggestions also included that the CalPPA require businesses to make their risk assessments available to the public.
- Harmonization with other regulatory schemes and regulators: Stakeholders from consumer rights protection grounds and business associations generally agreed that the regulations should harmonize the CPRA requirements with requirements from federal laws, such as the Federal Trade Commission Act (FTC Act), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Children’s Online Privacy Protection Act (COPPA). It was also advocated that harmonization should include recognizing permanent exemptions for employment and B2B information. Stakeholders from the banking industry urged that businesses in industries overseen by primary regulators should be exempted from audits arguing that audits from the CalPPA would cause undue burden.