New California Privacy Rules In The Books: Changes Explained

The first regulations for the California Privacy Rights Act (CPRA) went into effect last week, more than two years after voters ushered it into law.

The path to this milestone has been anything but smooth for the measure that updated the 2018 California Consumer Privacy Act. The new law created the California Privacy Protection Agency, which is in charge of rulemaking. However, the agency has faced delays setting itself up and issuing news rules, which have been criticized by businesses concerned with compliance costs.

Amid that backdrop, the state’s main business lobbying group sued the agency last week to delay enforcement of the law, as businesses adjust their privacy practices. The suit has added more uncertainty to the question of how to safeguard the privacy rights of more than 39 million state residents in a digital era.

1. What are the initial regulations?

The CPRA is a bunch of enhanced amendments to the California Consumer Privacy Act, the state’s comprehensive privacy law. The state attorney general’s office already created regulations for the 2018 law, but passage of the California Privacy Rights Act required the agency to update those regulations.

Very broadly, the CPRA adds in more protections for privacy, such as limiting when and how a consumer’s personal information is handled. Under the law, a business needs to have a “reasonably necessary and proportionate” purpose for collecting data, in line with a consumer’s “reasonable expectations” of how it would be used.

The regulations outline compliance standards around privacy rights. They detail when notices have to be given, how to handle consumer requests to exercise those rights and what has to be in place so that consumers aren’t unfairly nudged toward sharing their data, a term also known as “dark patterns.”

New rights for consumers include:

• to opt out of the “sharing” of personal information. It closes a loophole when only the “sale” of personal information was covered under 2018 privacy law.
• to correct personal information.
• to limit use and disclosure of “sensitive” personal information, a new category that includes financial information, geolocation data, government identification, and protected characteristics.

New requirements are imposed on service providers, contractors and third parties — companies that process personal information on behalf of or receive data from the main business — to comply with consumer requests as well. The rules mandate contracts to include requirements to ensure all are held responsible in following the law.

2. What have been some concerns?

Industry groups and the state privacy agency disagree over whether regulations are consistent with the underlying California Privacy Rights Act.

The biggest contention has been over the agency’s decision to embrace tools that allow users to automatically emit a signal that opts out of sharing data for every site a user visits. While businesses maintain the CPRA gives the option of recognizing opt-out signals or posting opt-out links on their websites, the agency has said the law mandates recognizing the signals.

Business groups have also complained about how many standards and requirements are not practical enough. For instance, they’ve said there are too many test factors for deciding when they can process consumer data, leaving companies unclear on whether they are violating the law. Additionally, rules around consumer requests don’t provide flexibility in determining if a request is credible or burdensome, they argue. There’s also no technical guidance on what type of opt-out signals should be recognized.

Consumer privacy advocates also have their own reservations, calling some of the guidelines around dark patterns too permissive and questioning whether service providers and third parties are sufficiently held accountable on compliance with consumer requests.

3. What will happen next?

The rules that went into effect March 29 only cover the basics of the CPRA. The privacy agency still needs to issue regulations for several more topic areas listed in the act. Currently, the agency is going through feedback on what to do with such topics as automated decision making, risk assessments and cybersecurity audits.

However, the agency technically was supposed to be done with all its regulations by July 1, 2022. That didn’t happen as the agency struggled with hiring staff and starting from scratch, CPPA Director Ashkan Soltani said in past agency meetings.

The next important date is July 1, when enforcement of the new CPRA changes is scheduled to start. The agency has been hiring for its enforcement team in preparation.

Given only partial regulations have been finalized, businesses say they are struggling and without any clear direction. For the regulations that went into effect, the time between now and July is not enough to navigate complicated rules and processes, business lobbyists said. As a result, the California Chamber of Commerce sued the agency to push back the enforcement start date by at least a year.

The regulations have addressed the discrepancy by saying that any enforcement action will consider the time between the effective date of the requirement and when the violation occurred. “Good-faith efforts” to comply will also be considered.

The CPPA is set to discuss the lawsuit at its April 14 meeting in closed session. Until a decision in court is made, the agency intends to continue its rulemaking and begin enforcement this July as outlined in the CPRA.

Read more

Businesses Sue to Stay Enforcement of New California Privacy Law
California’s New Privacy Law Rules on Customer Data Take Effect
Concerns Linger as California Privacy Rules Are Implemented
California Privacy Law Updates Go Live Jan. 1 Absent Final Rules
California’s Website Data Tracking Opt-out Plan Pleases No One
Updated Draft of California Privacy Rules Eases Business Burdens