While the passage of consumer privacy laws by state, national, and international legislative bodies earns justifiable headlines, the work of defining and enforcing actual regulations is passed down to privacy regulators. In February 2023, the California Privacy Protection Agency (CPPA) announced their approval of regulations aimed at giving consumers control over their data.
On February 3, 2023, the California Privacy Protection Agency (CPPA) unanimously voted to send their first rulemaking package to the agency charged with approving them. Given that body (the Office of Administrative Law) has 45 days to approve them, regulations from the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), will be fully in effect sometime in April 2023.
While the CCPA was passed in 2018 and the CPRA in 2020, the rulemaking process, a key step in the process of implementing the state’s privacy regulatory regime, began in July 2022. By producing final rules, the agency is accomplishing three goals:
• Harmonizing the provisions of the CCPA and CPRA
• Operationalizing the rights so businesses and consumers can take action on them
• Making the regulations easier to understand and comply with
The approved regulations do not cover all provisions of the CCPA and CPRA, and the CPPA has already invited public comments on proposed rulemaking for their next list of priorities: risk assessments, cybersecurity audits, and automated decision-making.
The regulations in the rulemaking package cover several but not all consumers’ rights. They include:
- Opting out of data sharing: The original law banned the “sale” of data, but not data sharing models used by social media and advertising companies. Now consumers can opt out of data sharing for cross-context behavioral advertising as well as data sales.
- Preventing the use of sensitive data: Consumers can use a global signal (the Global Privacy Control or GPC) to prevent the use of sensitive data like race, location, sexual orientation, and religious affiliation, beyond what is required to provide products or services.
- The right to delete or correct data: The regulations now require businesses to notify third parties of consumer requests to delete or remedy inaccurate personal information.
- Knowledge of sensitive information collected: Businesses must provide consumers with a list of categories of sensitive information collected, whether it is sold or shared, and how long it will be retained.
- Proportional data collection and use: Companies cannot use data for reasons that aren’t related to the purpose for which it was provided and disclosed to consumers.
Not all outcomes of the rulemaking favor consumers exclusively. For example, businesses still have 15 days to delete personal information, as the board deemed an immediate timelines could be burdensome to businesses. Similarly, businesses are not required to disclose in their privacy notice the names of third parties who collect personal information on their behalf.
For the past several months, companies have felt like the details of the CCPA’s compliance requirements – especially where the company has already made significant progress on the basics like privacy notices and consumer rights – are a moving target. With the CPPA’s approval of these regulations, companies can hone in on some of the details that are required of them. The regulations provide the road map to compliance in specific areas, but importantly, they also inform what the CPPA considers to be included in big picture compliance approaches. From understanding what’s expected when implementing purpose limitation to shaping the methods the company will provide for consumers to submit requests, we now have more to go on when working toward a higher level of privacy maturity.
Are you concerned about whether CCPA and CPRA apply to your business? Do you want to know what’s covered? Check out our CPRA Compliance Checklist before enforcement starts on July 1, 2023.
Download the PDF version of this Data Privacy Alert here.