From May 4-6, 2022, the California Privacy Protection Agency (“CPPA”) hosted several public pre-rulemaking stakeholder sessions regarding the California Privacy Rights Act (“CPRA”) via videoconference. During the sessions, stakeholders ranging from privacy and cybersecurity experts to trade associations and California small business owners provided verbal feedback, ideas and suggestions to CAPP as it develops the next CPRA regulations. The sessions covered a number of issues, including automated decision-making, data minimization and purpose limitation, dark patterns, consumer rights (e.g. opt-out rights, limitation of use of sensitive personal information), cybersecurity audits and risk assessments. Comments and positions taken by stakeholders varied. Some of the positions taken by stakeholders are summarized below:
- Automated decision making. Many stakeholders expressed concerns about the scope of the term “automated decision-making technology”. Some stakeholders expressed support for a broad definition. Other commenters requested that CAPP limit the scope to technology that produces a “significant legal or similar effect” (eg, affects a consumer’s credit history). Stakeholders also suggested a risk-based tiered approach with stricter requirements for tools that collect and/or process sensitive information or perform automated decision-making that would constitute profiling (e.g. selection of tenants to report rental requests).
- Data minimization and purpose limitation. Some stakeholders encouraged CAPP to provide strong and clear guidance on CPRA’s requirement that companies disclose the purposes for which the personal information they collect will be used and that they are prohibited from collecting categories additional personal information or to use the personal information collected for other purposes. that are “inconsistent with the disclosed purposes for which the personal information was collected” without further notice. Stakeholders sought guidance on what CAPP considers “inconsistent”, with some supporting a strict interpretation of the term to include purposes not reasonably expected by the average person (e.g., invasive profiling unrelated to the supply of the product or service requested by the consumer or voluntary sharing with law enforcement).
- Cybersecurity audits and assessments. Stakeholders generally expressed support for requiring companies to undergo cybersecurity audits and assessments. Some stakeholders urged CAPP to ensure that the timing and frequency of risk assessments are appropriate to prevent and mitigate risks to individuals before a business processes personal information. Some stakeholders suggested that CAPP require companies to make risk assessments publicly available. Other speakers cautioned CAPP against providing clear but not overly prescriptive guidelines, covering, for example, when assessments would be needed, what assessments should look like, and how they should be conducted for the purposes of conformity. Some stakeholders have also asked CAPP to leverage requirements set forth by other laws, such as the Virginia Consumer Data Protection Act, Colorado Privacy Act, and EU General Data Protection Regulation, to that multinational companies can more easily comply with all these requirements.
- Harmonization with other regulatory regimes and regulators: Many stakeholders felt that the regulations should align with other regulatory regimes and urged CAPP to work with other state regulators to align future requirements as much as possible with those of other states.
Following these sessions, CAPP will begin the formal rulemaking process, but publication of the final rules is not expected until July 2023.