Privacy Law Review – What You Need To Know (October 2021)

By Sheri Porath Rockwell, Sidley Austin – Privacy Law Section Chair

This has been a busy month in California privacy and we have been busy here in the Privacy Law Section. 

On October 5th, we hosted a Fireside Chat with California Privacy Protection Agency Chair Jennifer Urban, in which she discussed CPRA rulemaking and what the privacy bar can expect from the CPRA rulemaking process.  To access the recording of our conversation, click here.

On October 12th, we held a October Membership Meeting and hosted a conversation with Chetan Gupta, Twitter’s Senior Legal Counsel, Privacy and Data Production regarding how private industry may be able to make more meaningful changes to privacy controls than regulations.  

On October 15th, we launched our exciting new program and opportunity for our members to get involved: CPRA Rulemaking Subcommittees.  Experienced privacy professionals are encouraged to apply to participate in one of our four subcommittees that will draft comments to CPRA proposed regulations and may produce additional work product related to CPRA.  The application is available here; submit it early, as we are already forming groups. 

Finally, from October 20th to 22nd, a contingent of CLA Privacy Law Ex Comm members convened at the IAPP Privacy. Security. Risk 2021 Conference in San Diego where we spread the word about our section and happily met one another in person for the first time!  

Looking ahead ….

• November Children’s Privacy Webinars – The news is abuzz with issues around children’s privacy and we have two seminars to catch you up and keep you apprised of the newest developments in the area.  We will be presenting two outstanding webinars on the topic in November:
  • November 17, 2021 – U.S. Children’s and Students’ Privacy: COPPA, FERPA, and (Even) the CCPA with Tyler Newby, Fenwick & West.  Register [here]. @ 12 noon PT.

• November 29, 2021 –Adapting to the Age Appropriate Design Code, Emily Yu, Roblox.  Register [here]. @ 12 noon PT.

• CPRA Technical Tuesdays – Stay tuned for a series of important webinars that take a deep dive into the technical underpinnings of topics regulated by CPRA, from the Global Privacy Control, to automated decision making, and even digital advertising basics.  We need volunteers to help moderate and coordinate these events, so please let us know if you are interested (privacy@calawyers.org)!  It’s a great way to get involved.
• CPRA Rulemaking Subcommittees – Take advantage of this unique opportunity to participate in our rulemaking subcommittees where you can have a tangible impact on the development of California privacy law and meet other privacy professionals.  
• Membership Meet Ups  — Look in your inbox for Membership Meet Ups and virtual networking opportunities. 

Hope to see you at one of our upcoming events this month or next.  Don’t forget to spread the word about our section and get involved!  It is a great way to develop leadership and make a name for yourself in California privacy.  privacy@calawyers.org.   

By Ishita Mattoo

There has been a growing push for federal privacy legislation within the Congress over the past year. With the current patchwork of sectoral laws, as well as the increasing number of state privacy laws on the horizon, the complexity and ambiguity regarding privacy laws which apply is likely to increase. Proponents of a federal privacy law have argued that it would provide a streamlined legal framework that could lead to greater clarity for consumers as well as businesses.  Further, it could overcome some of the challenges with cross-border and internal data flows between states.

There have been several proposals for federal privacy legislation introduced in Congress. Two significant bills which have been reintroduced recently are the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act); and the Data Protection Act of 2021. The key features of each of these have been discussed below.

1. Setting an American Framework to Ensure Data Access, Transparency and Accountability Act (SAFE DATA Act):

On July 28 this year, Sen. Roger Wicker (R-MS) (chair of the Senate Committee on Commerce, Science, & Transportation) and Sen. Marsha Blackburn (R-TN) introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. An earlier version of the bill was introduced last year. The major changes introduced in the 2021 version of the bill include a provision which would prohibit companies from processing personal information in a manner which violates Federal civil rights law and requires the FTC to report any such violation to the relevant Executive or State agency.[1] Important features of the SAFE DATA Act include the following:

• Establishment of “field pre-emption,” to supersede all state laws and regulations.[2]
• Significant consumer data rights, such as consumers’ right to access, correct, delete, and be provided their data in a portable format;[3] the right not to have their sensitive data transferred to a third party without their “prior, affirmative express consent;”[4] and the right to opt out of the collection, processing, or transfer of their data.[5]
• Control on businesses’ use and processing of data through requirements such as the provision of a privacy policy to consumers disclosing which consumer data is collected, processed, and transferred by the business;[6] requirements for businesses to carry out privacy impact assessments;[7] and minimizing the amount of consumer data which a business can collect, process, and retain.[8]
• Expanded powers for the FTC for protecting consumer data through measures such as maintenance of a data broker registry;[9] and increasing the FTC’s powers to regulate the use of data by common carriers and nonprofit organizations.[10]

1. Data Protection Act of 2021:

On June 17 this year, the Data Protection Act of 2021 was introduced in Congress by Sen. Kirsten Gillibrand (D-New York). The bill aims to establish a Data Protection Agency (DPA), a federal agency responsible for protecting the data and privacy of consumers and creating “fair and transparent” data practices. Significant changes to the bill from the earlier version introduced in 2020, include provisions establishing an Office of Civil Rights; expansion of the powers of the DPA to regulate the use of “high-risk data practices;” and granting the DPA the power to review certain Big Tech mergers. The key functions of the DPA outlined in the bill include:  

• Leading and coordinating the privacy and data protection work of all Federal departments and agencies;[11]
• Overseeing “high-risk data practice” risk assessments and risk impact evaluations;[12]
• Protecting individuals from privacy harms;[13]
• Providing protections for civil rights and promoting equal opportunity with respect to the processing of personal information;[14] and
• Developing privacy and data protection guidelines, standards, and policies.[15]

Thus far, neither the SAFE DATA Act nor the Data Protection Act of 2021 have gained momentum in Congress. The most contested aspects of proposed federal legislation appear to be that of preemption and private rights of action. In the interim, until agreement is reached on these issues, the prospect of a further increase in state legislation seems likely.

By Andrew Scott, CIPP/US, CIPP/E, CIPM

On August 20, 2021, The National People’s Congress (NPC) of China adopted the Personal Information Protection Law (PIPL).  The PIPL goes into effect as of November 1, 2021, and there will be no transition period like we have seen with most privacy law frameworks. 

Of the major privacy frameworks, the PIPL aligns more with General Data Protection Regulation (GDPR) than the California Consumer Protection Act (CCPA) and California Rights Privacy Act (CPRA).

This is a high-level comparison between the PIPL and the CCPA/CPRA, noting key differences and similarities between the two frameworks, including key definitions, individual rights, business obligations, security measures, and enforcement. 

Even with the CPRA amendments to the CCPA, organizations will likely find compliance efforts to be a more arduous task. 

The PIPL was published in Chinese.  A few organizations have translated the law in English.  The analysis below relied on a translation by DigiChina, which has a wealth of resources available on its website for those interested in further reading on this new law. 

Key Definitions

The scope of the PIPL is much broader than California’s privacy framework. The Chinese law applies to the processing of personal information of natural persons within the borders of the People’s Republic of China; the CCPA applies to consumers, which is defined as a natural person who is a resident of California. 

Unlike the CCPA/CPRA, the PIPL does not require an organization to fall within its scope by meeting a particular annual gross revenue threshold; to buy, sell, or share, a particular amount of consumers’ personal information; or receive a certain percentage of its revenue from selling consumers’ personal information to be subject to the law. 

Extraterritorial Reach:  If an organization is not within the borders of China, the PIPL will apply when the “handling activities” either have a purpose to provide products or services to natural persons within China’s borders, to analyze or assess activities of natural persons within China’s borders, or when other circumstances provided in laws or administrative regulations would call for an organization to be brought within the law’s reach (Art. 3).

Processing vs. Handling: The CCPA defines processing as any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.  In the PIPL, processing is called handling.  The Chinese law defines handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. (Art. 4).

Business vs. Handler:  Under the CCPA/CPRA, a Business collects consumers’ personal information and determines the purposes and means of the processing of consumers’ personal information. Under the PIPL, a Business is referred to as a Handler.  Handlers are responsible for their personal information handling activities and adopt the necessary measures to safeguard the security of the personal information they handle (Art. 9).  Of note, circumstances might warrant that Handlers must develop a privacy program. (Art. 51).

Service Provider vs. Entrusted Person:  Under the California framework, a Service Provider processes a consumer’s information on behalf of a Business; under the PIPL, a Service Provider is referred to as Entrusted Person, and they engage in entrusted handling.  Like Service Providers, Entrusted Persons are subject to a purpose limitation when they process data (Art. 21).  Additionally, they are required to take necessary measures to safeguard the security of the personal information they process; (Art. 59); process data only as requested by the Handler (Art. 63); and either delete or return to the Handler the personal information it collected if the contract does not take effect, is void, has been cancelled, or has been terminated. (Art. 21).

Personal Information:  Under the PIPL, Personal Information is defined as “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.”  (Art. 4).  This is broader than the California framework’s definition, which is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Sensitive Personal Information:  Under Article 28 of the PIPL, Sensitive Personal Information means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.   Separate consent is needed for Sensitive Personal Information.  (Art. 29). 

There is some overlap between China’s and California’s definitions of Sensitive Personal Information.  Like the PIPL, Section 1798.140(ae) of the CPRA provides that Sensitive Personal Information includes personal information that reveals a consumer’s location tracking (“precise geolocation”), religious beliefs, or financial accounts (“in combination with any security or access code”).  Additionally, the definition includes the processing of certain types of personal information, including medical information (when collected), and the processing of biometric information for the purpose of uniquely identifying a consumer.    

Individual Rights vs. Consumer Rights

Generally, the PIPL aligns with the CCPA/CPRA’s individual rights: to Access (Arts. 44-45), to Delete (PIPL Art. 47 & CCPA/CPRA § 1798.105), to Correct (added via CPRA § 1798.106), the right to Portability (PIPL Art. 45 and amended via CPRA § 1798.130 (a)(3)(B)(iii)) and the right not to be discriminated against (Art. 16 and CCPA/CPRA §1798.125). 

The PIPL, however, goes on to provide more individual rights than CCPA/CPRA. Aside from the right to appeal and the right to limit or withdraw consent, the PIPL offers a real right to portability (going even further than the GDPR’s portability requirement), allowing an individual to request a transfer of his or her Personal information from one organization to a competitor.  Even further, deceased people have individual rights to their personal information that can be requested by a close relative for its legitimate and proper interests.  (Art. 50).

Business/Handler Obligations

Providing Transparency: Both frameworks require notice to be provided before the processing/handling of personal information.  The PIPL requires that transparency shall be observed in the handling of personal information, requiring that it must be made known to the individual of the purpose, the method, and scope of the handling of both Personal Information and Sensitive Personal Information.  (Arts. 7, 17, and 30).  Notice is also required to be given when a Handler provides another handler with the individual’s Personal Information; consent is required when the scope of handling methods or processing purposes change.  (Art. 23).  Of note, it would be a best practice to ensure that the privacy notice contains a version written in Chinese. 

Similar to the PIPL, the CCPA/CPRA requires notice at collection and particular disclosures to be made in the privacy notice.  While the PIPL does not require an explicit obligation on Handlers to provide a Do Not Sell/Share My Personal Information link, the law does require that individuals must be able to revoke consent in a convenient manner.  (Art. 15). The PIPL even provides that an individual may revoke their consent to the use of their personal information even when it was publicly disclosed.

Legal Basis for Processing Information:  Under Article 13, the PIPL requires a legal basis for processing personal information. Unlike the CCPA/CPRA framework, the PIPL requires processing be based on either consent (freely given), a contractual necessity, fulfilling statutory duties and obligations, an emergency (protecting health or property), news reporting, information provided to the public, or as provided by other laws. Of note, the PIPL, unlike the GDPR, does not expressly provide for processing based on legitimate interests. 

The PIPL relies heavily on consent, and it requires that it must be fully informed, voluntary, and explicit.  (Art. 14).  If the data is processed in a way that is inconsistent with the original purposes, the individual must be informed and consent to the new processing.

Adhering to Data Protection Principles:   Article 5 of the PIPL requires the processing of personal information to adhere to data protection principles:  legality, propriety, necessity, sincerity; data cannot be processed in any “misleading, swindling, coercive, or other such ways.”  Article 19 of the law requires that personal information is only permitted to be retained for the period required to accomplish the purpose.  The California framework has not codified as many data principles. CPRA, however, added a data minimization requirement (§§ 1798.100 (c) and 1798.100 (a)(d)).

Children’s Privacy: Under the PIPL, Personal Information of minors under the age of 14 is considered Sensitive Personal Information.  Accordingly, Handlers processing such information shall obtain the consent of the parent or other guardian of the minor (Art. 31). Under CPRA, a business must obtain opt-in consent before selling or sharing personal information of a consumer under 16. (§ 1798.135(c)(5)). 

Automated Decision-making:  The PIPL addresses automated-decision making, requiring Handlers to be transparent about this process and to not engage in unreasonable differential treatment of individuals.  (Arts. 24 and 55).  On the other hand, the CPRA does not create any direct consumer rights or organizational responsibilities with respect to automated decision-making; however, this may change as the use of automatic decision-making is within the scope of the regulations to be promulgated. (See § 1798.185(a)(16)).

Cross-Border Data Transfers:  The California framework has no such restrictions against cross-border data transfers.  The PIPL, however, restricts cross-border transfers.  (Arts. 38-43).  Handlers that transfer data across borders must provide notice and acquire separate consent from individuals as well as ways or procedures for individuals to exercise their rights under the PIPL and other such matters (Art. 39).

Data Protection Officer and Representatives located outside of China:  The PIPL states a Handler may need to appoint a Data Protection Officer. (Art. 52).  If a Handler is not established within China’s borders, the PIPL provides that a personal representative must be appointed within China.  (A. 53).

Cookies:  Both frameworks do not specifically mention cookies, including providing a requirement to obtain consent form a website before placing cookies on their browser or device.   The lack of cookie requirements, however, do not necessarily mean that placement of cookies on devices of a user based in China is exempted from needing a legal basis to process any information gained.  Like the CCPA/CPRA, handling of cookie data will likely require consent, meaning that cookie banners with privacy notices will be required on websites visited by individuals within the borders of China. 

Security and Data Breach

The PIPL provides for data breach notification and security measures.  Handlers are required to ensure the quality of the Personal Information and to avoid adverse effects on individual rights and interests from inaccurate or incomplete personal information. (Art. 9).  In doing so, Handlers must adopt particular measures to prevent unauthorized access as well as personal information leaks, distortion, or loss.  (Art. 51).  Some of the requirements include implementing technical security measures (i.e., encryption and de-identification) and implementing security incident response plans. 

If a breach does occur, Handlers must adopt remediation measures and notify proper government authorities.  If a Chinese regulatory authority considers that the data breach may cause damage to individuals, it may require the personal information controller to notify individuals.  (Art. 57).

Personal Information Protection Impact Assessment:  Under the PIPL, Handlers must conduct Personal Information Protection Impact Assessment in a number of cases, including the handling of Sensitive Personal Information, conducting automated decision-making with personal information, and providing information abroad.  (Art. 55). 

Section 1798.185(a)(15) of the CPRA is one of the law’s most important provisions.  This provision involves issuing regulations requiring businesses to conduct annual impact risk assessments. In determining whether the processing “may result in significant risk to the security of personal information,” the CPRA identifies two factors to be considered: (1) the size and complexity of the business; and (2) the nature and scope of processing activities.  The specific requirements for these audits will be determined by future regulations; however, businesses can expect that they will have to define the audit’s scope and ensure a thorough and independent process. 

Enforcement

In general, the PIPL’s enforcement measures are more extensive and elaborate those in the CCPA/CPRA. There is some similarity, however, with respect to how the frameworks approach rulemaking, fining authority, and the private right action.

Rulemaking:  Both frameworks have rulemaking authority.  China’s State Cybersecurity and Information Department has broad Personal Information duties and responsibilities, including formulating personal information protection rules and standards.  (Arts. 60-63).  Under the CPRA, the California Privacy Protection Agency (CalPPA) will assume rulemaking responsibilities. (§1798.185). 

Fining Authority:  Both frameworks have civil fining authority. Under the California framework, an organization may be liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation. (§ 1798.155 (CCPA) and §§ 1798.1551798.199.55, 1798.199.90 (CPRA)).  Under Article 66 of the PIPL, violations can call for fines that reach up to 1 million Yuan (~$155,200).  For more grave violations, fines can be assessed up to either 50 million Yuan (~$7,700,000) or 5% of the previous year’s annual revenue.  

Private Right of Action:  Both frameworks provide for a private right of action.  Under the California framework, a private right action is available when a consumer’s unredacted or unencrypted personal information has been breached due to a lack or maintenance of reasonable security measures. (§ 1798.150).   The PIPL does not expressly indicate individuals have a private right of action available to them in the event there is a security breach; however, individuals may file a lawsuit against a handler when it rejects a request to exercise their rights. (Art. 50).  The PIPL does indicate that other government and statutorily designated consumer organizations may file lawsuits when the handling results in harm to a large number of people.  (Arts. 69-70).

Personal and Criminal Liability:  For the more “grave” violations, the PIPL provides that the employee or employees who are directly responsible for the harm are to be fined and may be prohibited from holding particular higher-level positions for a certain period.  (Art. 66).  In some cases, violations will also be reported to individuals’ (and organizations’) credit files and publicized (Art. 67).  Additionally, the PIPL suggests that when violations of the law constitute a crime, criminal liability is to be investigated according to the law.  (Art. 70.).

New Considerations

Reciprocation:  The PIPL provides that any country or region that prohibits, limits, or discriminates against China in the area of personal information protection, China may adopt reciprocal measures against that country or region.  (Art. 43).

Handlers that provide “important Internet platform services”:  The PIPL provides that Internet platform services that have a large number of users and whose business models are complex are required to fulfill additional obligations.  (Art. 58).  It should be noted that “important Internet service platform services” has not been defined.  Expect more to be revealed. 

Conclusion

As with GDPR, the PIPL is a complicated law that will require extensive analysis by any U.S. entity subject to its application.  The law is more thorough and extensive than the CCPA/CPRA.  Between the law going into effect November 1, 2021, and the shortage of guidance that has been provided by the Chinese government, organizations that believe they may be subject to the law should attempt to be as thorough as possible in implementing mechanisms to comply with the law. 

By Brandon Jasso

Although there continues to be discussion about the potential passages of a federal data privacy law, states are not waiting until such time to make sure that their citizens are protected. On September 9, 2021, Oklahoma State Legislature Representative Collin Walke (D) (“Rep. Walke”)[i] and Representative Josh West (R) (“Rep. West”)—through a bipartisan act—introduced House Bill 2969 (“HB-2969”) (see here; and the text can be found here) in the Oklahoma House of Representatives. However, this is not the first time that Reps. Walke and Rep. West have worked together to introduce a data privacy law in their state’s legislature.

Previously on January 19, 2021, Reps. Walke and West introduced House Bill 1602 (“HB-1602”) (see here; and the text can be found here) during the previous legislative session. Oklahoma legislative sessions usually run from the first Monday in February through the last Friday in May (a summary of the Oklahoma Legislature and bill passage process can be found here and here). HB-1602 was ultimately brought before the House floor, amended, brough up for the required third reading, and passed with bipartisan support with an 85-11 vote and 5 abstentions. After, HB-1602 was sent to the Oklahoma State Senate and referred to review by the Senate Judiciary Committee for its required second reading. Unfortunately, HB-1602 was never heard by the committee (see here) and ultimately resulted in HB-1602 dying in the Senate when the session ended in May 2021.

Reps. Walke and West hope that reintroduction of their privacy bill can help to protect their state’s citizens. In a joint press release (see here), Rep. West stated that “[t]he importance of data privacy legislation cannot be overstated.” Rep. West further stated, “[l]ast session we attempted to comprise with many in the tech industry on our data privacy legislation, but many preferred to not meet us halfway and stopped our bill in the Senate,” and that he believes the law is the “he most stringent data privacy law in the nation.” Rep. Walke added that:

The National Security Commission on Artificial Intelligence explained that America is ill-prepared for the next decade of technological development, and part of that is due to a lack of governmental action in regulating things like data privacy. It is time that we heed the advice of security experts like the National Security Commission and pass meaningful data privacy legislation. We must be part of the solution and not the problem.

The text of HB-2969 resembles many of the other data privacy laws currently in place around the nation and the world, and contains seventeen sections. Furthermore, HB-2969 is a more concise version of the previously introduced HB-1602.

HB-2969 is applicable to for profit businesses; it applies to a “business” that is “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that collects consumers’ personal information . . . and does business in the State of Oklahoma” and meets one of the following: (1) “has annual gross revenues in excess of Ten Million Dollars ($10,000,000.00) in the preceding calendar year”; (2) alone or in combination, annually buys, receives, shares, or discloses for commercial purposes, alone or in combination, the personal information of twenty-five thousand or more consumers, households or devices; or (3) derives fifty percent (50%) or more of its annual revenues from sharing consumers’ personal information. Furthermore, the law also addresses applicability to “any entity that controls or is controlled by a business” or to “a joint venture or partnership composed of businesses in which each business has at least a forty-percent interest.” See HB-2969 § 3(3).

A quick summary of the bill’s sections are as follows:

• Section 1 introduces the acts formal name, “Oklahoma Computer Data Privacy Act of 2022.”
• Section 2 provides a detailed summary of the legislative intent and belief in a right to privacy. It further adds that the bill is intended to compliment other privacy laws and where a conflict occurs the law that provides more protections controls.
• Section 3 provides the bills definitions and includes definitions for a business, service providers, collection of information, consumer, personal information (very broad definition), processing (including by automated means), and many more for a total of 19 definitions with subsections.
• Section 4 provides that the Oklahoma Attorney General shall be responsible for enforcing HB-2969. It further provides for civil penalties up to $2,500.00 for each unintentional violation and up to $7,500.00 for each intentional violation.
• Section 5 requires the use of a privacy policy that is required to be in plain language explaining how a consumer may exercise their HB-2969 rights, identifies what personal information is collected, whether personal information is disclosed and to whom, and the business’s retention policy for personal information.
• Section 6 provides the consumer with the right to delete their information held by a business.
• Section 7 provides businesses with the right to reject a deletion request to comply with legal requirements. However, the business must notify the consumer why the request was denied and under what basis.
• Section 8 provides consumers with the right to access as to what information is retained by a business about the consumer, including if it was disclosed to a service provider.
• Section 9 provides the consumer the right to correct inaccurate information held by a business.
• Section 10 provides that a consumer shall not be discriminated against for exercising any of their rights pursuant to HB-2969.
• Section 11 provides that a business shall provide at least two points of contacts for consumer requests and that they shall be readily identifiable by the consumer. It further adds that a business has forty-five (45) days to respond to a request and can extend the deadline by forty-five (45) days when not possible to respond within the initial forty-five (45) day window. It also limits the required disclosures to a particular consumer to twice in a twelve (12) month period.
• Section 12 provides protections for businesses and service providers so as to not restrict their compliance with state, federal, or local laws; “civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities”; cooperate with law enforcement; litigate civil claims; work with deidentified information; collect or share information outside of Oklahoma; require the violation evidentiary privileges; and excepts personal health information from the law.
• Section 13 provides that courts shall ignore steps or actions taken with the intention to avoid the reach of the law.
• Section 14 provides that waivers of any rights in the bill are contrary to public policy and thus void and unenforceable.
• Section 15 provides that it shall be “unlawful for any company to design, modify, or manipulate a user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision making, or choice.” These types of actions are commonly known as “dark patterns” (see here for more information).
• Section 16 provides that the law shall be severable if any portion is found to be void so not prevent enforcement of the remaining sections.
• Section 17 provides that the law shall become effective on November 1, 2023.

Although Reps. Walke and West have worked very hard for their state constituents, missing from the law is a definition or discussion of sensitive personal information, the right to opt out of the use of sensitive information, age based opt outs, a requirement for privacy by design, records requirements for processing, a risk and impact assessment requirement, private right of action, and does not identify who shall have rule or regulation drafting authority for the law. However, such amendments or changes can be made during the legislative process or by the passage of an additional bill, such as with the California Consumer Privacy Act and the California Privacy Rights Act.

The law is expected to come for a reading on the House floor on February 7, 2022, when the new legislative session begins. You can receive official email updates directly from the Oklahoma Legislature by using the link on the upper right hand corner of bill’s page (here).

---

By the CPRA Working Group

The Privacy Law Section of the California Lawyers Association (CLA) invites members with privacy experience to apply to participate in its California Privacy Rights Act (CPRA) Rulemaking Working Group. The CPRA Working Group will be comprised of issue-focused subcommittees of privacy professionals from diverse settings (e.g., in-house lawyers; products counsel; public interest advocates; academic researchers). Each subcommittee will be charged with drafting comments to be included in the Privacy Law Section’s submission to the California Privacy Protection Agency as part of the rulemaking process for the CPRA.

This is an extraordinary opportunity to meet other privacy professionals and work together to help shape the future of California privacy law. The group will provide input on specific topics of CPRA rulemaking to offer helpful guidance and suggestions to ensure the regulations are effective and workable.

If you are interested in applying to participate in the CPRA Working Group, please complete the CPRA Rulemaking Working Group Application here, and submit it to us as soon as possible.  We are accepting applications on a rolling basis, but we will look to have our first kick-off meeting for the CPRA Working Group on October 29, 2021. Please note, participation in the CPRA Working Group is limited to current members of the California Lawyers Association. If you are interested in joining, click here.

More details about the CPRA Working Group are below.

What Experience Do I Need to Participate in the CPRA Working Group?

The CPRA Working Group will be limited to current members of the CLA who have experience implementing CCPA or GDPR or who have experience in the substantive issue areas (e.g., privacy impact assessments) that will be the topic of CPRA regulations. We will create subcommittees that represent a diverse cross-section of California privacy practitioners.

What Issues Will the CPRA Working Group Tackle?

The CPRA Working Group subcommittees will be focused on CPRA-identified subjects of rulemaking, including those that were recently identified by the California Privacy Protection Agency in their call for preliminary rulemaking comments. The topics the CPRA Working Group subcommittees will address will depend upon the number of applications we receive and applicants’ areas of interest and expertise.

What is the Time Commitment Required to Participate?

CPRA Working Group members should be prepared to devote, on average, at least 5 to 10 hours a month to the subcommittee work, beginning in October 2021 through at least May 2022 (or longer, depending upon the rulemaking process). Members should be able to participate in weekly or bi-weekly meetings and to complete drafting or analysis assignments between meetings. It is possible some or all of these meetings may occur during the work week, so members should be able to attend meetings at those times. All meetings will be conducted remotely.

How Will Lawyers with Diverse Perspectives and Interests Agree Upon Substantive Comments?

We intend to leverage the years of expertise CLA has in bringing together lawyers from different perspectives to comment upon legislation and rulemaking efforts across many different issue areas. Indeed, in 2019, members of CLA formed a CCPA Working Group comprised of diverse lawyers that submitted 11 pages of substantive comments to draft CCPA regulations.

Questions

If you have questions about the process, please email us at privacy@calawyers.org. We look forward to hearing from you!