California Privacy Protection Agency

California’s New Privacy Agency Hits Ground Running

In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act (CPRA). The CPRA amends and extends the California Consumer Privacy Act of 2018 (CCPA) and establishes the California Privacy Protection Agency. This new agency has administrative power to implement and enforce the CCPA. The agency’s responsibilities include updating existing regulations and adopting new regulations.

Before the CPRA, the CCPA required the Attorney General to promulgate and enforce CCPA regulations against businesses. Proposition 24 now requires the agency to promulgate additional regulations under CPRA by July 1, 2022.

The agency held its inaugural meeting on June 14, 2021, and wasting no time, published an initial invitation for comments on September 22, 2021. The agency’s invitation for public comment solicited comments related to any area on which the agency has authority to adopt rules. In its invitation, however, the agency identified several areas of particular interest, as set forth below.

California Privacy Protection Agency Identifies Areas of Focus

Public comment is intended to assist the agency in developing well-informed regulations and determining whether changes to existing regulations may be necessary. The agency solicited comments related to any area on which the agency has authority to adopt rules but identified several topics of particular interest where it would like to receive viewpoints and comments. This is an informal process in advance of formal rulemaking.

• Processing that Presents a Significant Risk to Consumers’ Privacy or Security: Cybersecurity Audits and Risk Assessments Performed by Businesses.

In this area, the agency was interested in factors including when a business’s processing of personal information actually presents a significant risk to privacy or security, and what businesses that perform annual cybersecurity audits should be required to do. The agency also asked for information about risk assessments, including what goes into a risk assessment and how often a risk assessment ought to be submitted.

• Automated Decisionmaking.

The agency showed interest in what activities should be deemed to constitute “automated decisionmaking technology” and “profiling.” The agency was also interested in identifying when consumers should be able to access information about a business’s use of automated decisionmaking technology and what processes consumers and businesses should follow to facilitate access. Additionally, the agency sought information about what specific information businesses must provide to consumers in response to access requests, including what it means to provide “meaningful information about the logic” involved in automated decisions.

• Audits Performed by the Agency.

The agency showed interest in what the scope of an agency audit should be, what the process should be to exercise an audit, and what safeguards the agency should adopt to protect consumer information for disclosure to an auditor.

• Consumers’ Right to Delete, Correct, and Know.

The agency acknowledged that, with regard to consumer rights to delete and know, the Attorney General has already adopted regulations. The CPRA, however, added a right to correct, and additionally provides for the creation of regulations to establish rules and procedures that facilitate the right to correct. The agency’s interest here was related to procedure, including the frequency of consumer requests to correct, the circumstances warranting the same, and how a business is required to respond. The agency also showed an interest in helping businesses take steps to avoid fraud.

• Consumers’ Rights to Opt-Out of the Selling or Sharing of Their Personal Information and to Limit the Use and Disclosure of Their Sensitive Personal Information.

The Attorney General has previously issued regulations to enforce the consumers’ right to opt out of the sale of their personal data. The CPRA now provides for additional rulemaking to update the CCPA’s rules on the right to opt-out of the sale of personal information. It also calls for the adoption of regulations to limit the use of sensitive personal information, and account for other changes in this provision. The agency showed interest in understanding what policies and processes may help consumers control how sensitive personal information is used by businesses.

• Consumers’ Rights Related to Sensitive Personal Information.

Because the term “sensitive personal information” is new to the CPRA, the agency solicited comments to help understand what should constitute “sensitive personal information” that should not be subject to the right to limit use and disclosure. Additionally, the agency sought information about what type of uses or disclosures of consumer sensitive personal information ought to be permissible notwithstanding a consumer’s direction to limit the use or disclosure of the same.

• Information to Be Provided in Response to a Consumer Request to Know Specific Pieces of Information.

When a business is required to disclose specific pieces of information to a consumer, the CPRA generally requires the disclosure to cover the 12 months prior to a consumer’s request. However, for all information processed on, or after January 1, 2022, consumers may request, and businesses must disclose, information beyond the 12-month window subject to an exception.

On this issue, the agency was interested in identifying the standard that should govern a business’s determination that providing information beyond the 12-month window would involve a disproportionate effort or is otherwise impossible.

• Definitions and Categories.

Interestingly, the agency requested additional information on a wide range of definitions of categories. Notably, the agency was interested in what regulations, if any, should be adopted to further define “dark patterns,” “law enforcement agency-approved investigation,” and whether any changes or updates should be made to the categories of “personal information” given in the law.

CalChamber Position

The California Chamber of Commerce participated in the agency’s preliminary invitation for comments and submitted written comments to the agency on issues that were of concern for businesses. In its comments, the CalChamber provided guidance on the issues outlined by the agency, including substantive feedback to help the agency identify foreseeable issues in advance of promulgating a draft.

The CalChamber supports regulations that clarify ambiguities in the text of CPRA, and simplify and streamline compliance for businesses.

January 2022