California privacy agency invites public to participate in new CCPA / CPRA regulations
On September 22, 2021, the California Privacy Agency opened the following chapter under the California Consumer Privacy Protection Act (CCPA) by issuing a general call for public comment on areas requiring new regulations.
California Privacy Rights Act 2020 (ACPL), which amends and expands the CCAC, requires the Agency to adopt regulations on a long list of subjects. Agency Invitation to Provide Preliminary Comments on Regulatory Proposals Under California’s Privacy Rights Act 2020 (Invitation) welcomes comments on any potential areas for rule making, but highlights eight areas on which the Agency is particularly interested in receiving comments. These eight topics all involve important new rights and obligations added by the ACPL, which will come into effect on January 1, 2023:
1. Cybersecurity audits and risk assessments for processing that poses a significant risk to consumer privacy or security
The CAPL demands that the Agency promulgate regulations that impose two new obligations on companies whose handling of consumer personal information presents “a significant risk to the privacy or security of consumers”: (a) conduct annual audits of cybersecurity and (b) submit to the Agency âregularlyâ an assessment of the risks associated with their processing of personal information.
The invitation solicits comments on topics such as:
- When the processing of personal information by a company should be considered to involve a “significant risk to the privacy or security of consumers”;
- What should be included in the required annual cybersecurity audits;
- What should be included in the risk assessments to be submitted to the Agency and how often should the risk assessments be submitted? and
- When the ârisks to consumer privacy outweigh the benefitsâ of the processing, then the processing should be limited or prohibited.
2. Consumer access and opt-out rights regarding business use of automated decision-making technology
The ACPL demands that the Agency promulgate regulations “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling.” ACPL says regulations should include the requirement for a business response to access requests to include “meaningful information about the logic involved in those decision-making processes” and to provide “a description of the likely outcome of the process. process with regard to the consumer â.
The invitation solicits comments on:
- What activities should be considered âautomated decision-making technologyâ or âprofilingâ;
- When consumers should be able to access information about the use of automated decision-making technology, and what processes should be used to facilitate this access;
- What types of information businesses must provide in response to such access requests, including how businesses can provide âmeaningful information about the logic involved in automated decision making; and
- The extent of consumers’ opt-out rights with respect to automated decision-making and the processes to be used to facilitate such opt-out.
3. The Agency’s right to verify companies’ compliance with the CCPA
The ACPL created the Agency and empowers the Agency to verify companies’ compliance with the CCPA. CAPL also requires the Agency to develop regulations to define the scope and process for exercising its audit rights. In this regard, the Agency requested comments to help define the scope of its audit authority, the processes it should follow in exercising its audit authority and in selecting companies to be audited, and the safeguards it should use to protect personal information from disclosure to an auditor.
4. New right of consumers to correct their personal information
CPLA gives consumers a new right to request correction of inaccurate personal information. The Agency invited comments on the rules and procedures for consumers to make such requests, including:
- how often and under what circumstances a consumer can make requests for correction;
- how a business should respond to remedial requests, including what steps the business can take to prevent fraud;
- when an enterprise should be exempted from the obligation to honor a request for correction because a response would be “impossible or would involve a disproportionate effort” or because the relevant information is already correct; and
- the process allowing a consumer to provide a written addendum to his file with the company, if the company rejects his request for correction.
5. Standards for withdrawal preference signals, if applicable
The CCPA allows consumers to opt out of “selling” their personal information, and CPRA will add a new right for consumers to opt out of âsharingâ their personal information for cross-behavioral advertising.  In addition, CPRA creates new rights for consumers to limit the use or disclosure of âsensitive personal informationâ, as we will see later in the next section.
The CCPA requires companies to implement certain mechanisms to allow consumers to exercise their opt-out right, for example by providing a clearly labeled opt-out link on their websites. However, the ACPL will offer businesses the alternative of allowing consumers to exercise their opt-out rights (and their new rights to limit the use or disclosure of sensitive personal information) through a ” opt-out preference sent with consumer consent by a platform, technology or mechanism, based on technical specifications’ to be created as part of the Agency’s rulemaking process.
The agency invited comments on rules and procedures that allow consumers to limit the use and disclosure of their sensitive personal information. The Agency is also seeking comments on the technical and logistical requirements of companies in processing these requests, including:
- What technical requirements and specifications should define a opt-out preference signal sent by a platform, technology or mechanism, to indicate whether the consumer is opting out of selling, sharing and / or seeking to limit use or disclosure of sensitive personal information;
- What technical specifications should be established for a opt-out preference signal to make it clear that the consumer is under 13, or at least 13 but under 16;
- How should businesses deal with consumer demands expressed through opt-out preference signals? and
- What steps should businesses take to provide consumers who have expressed an opt-out preference via a opt-out preference signal the opportunity to consent to the sale or sharing of their personal information and / or the use and disclosure? disclosure of their personal information.
6. New right for consumers to limit the use and disclosure of “sensitive personal information”
As noted above, the CPRA allows consumers to direct a business that collects their sensitive personal information to limit its use of their sensitive personal information to use “that is necessary to provide the services or supply the goods reasonably. expected by an average consumer who requests these goods or services, to perform certain services and as permitted by regulations. However, the ACPL provides that this right does not apply to sensitive personal information that is “collected or processed without the purpose of inferring characteristics about a consumer”; rather, this information would be treated as ordinary personal information under the CCPA.
Beyond the topics discussed in the previous section, the Agency is also seeking comments on when these exceptions should be deemed to apply:
- What constitutes âsensitive personal informationâ that should be considered âcollected or processed for the purpose of inferring characteristics about a consumerâ, so that it is not subject to the right to limit the ‘use and disclosure; and
- What use or disclosure of a consumer’s personal information should be permitted despite the consumer’s direction to limit the use or disclosure of that information.
7. “Specific information” to be provided in response to a request for knowledge
The CCPA currently requires businesses to provide a consumer, upon request, with a copy of specific personal information obtained from the consumer within the previous 12 months. However, with respect to personal information collected on or after January 1, 2022, consumers may request the company to provide such information beyond this 12-month window, unless it “proves impossible or involves a disproportionate effort âfor the company.
The Agency is seeking comments on standards that should determine whether providing information beyond this 12-month window is “impossible” or “would involve a disproportionate effort”.
8. Updated CCAC definitions
The Agency is investigating whether any changes or updates need to be made to terms defined in the CCPA, such as “personal information”, “sensitive personal information”, “de-identified” and / or “unique identifier”, ” designated methods for submitting requests â,â intentionally interacts â,â precise geolocation â,â specific information obtained from the consumer â,â investigation approved by law enforcement âandâ dark grounds â.
Final thoughts and next steps
The Invitation provides a useful update on many, but certainly not all, of the outstanding issues and unanswered questions to be addressed in this new rule-making process. The invitation also serves as a reminder that many of the new requirements arising from CPRA have yet to be drafted.
Interested parties can submit their comments by Monday, November 8, 2021. The public will also have the opportunity to comment on the proposed regulations when the Agency issues notice of proposed legislation. Additional information on the rulemaking process is available on the Agency’s website. regulations page.