Businesses will have more time to provide feedback on proposed regulations by California’s new data protection authority concerning risk assessments, cybersecurity audits, automated decision-making, and data broker registration before they are potentially finalized later this year.
The California Privacy Protection Agency (CPPA), which is responsible for drafting and enforcing data privacy regulations under the California Consumer Privacy Act (CCPA), grants California residents and certain employees rights over personal data collected by businesses. These rights include opting out of data collection and requesting data deletion.
In April, the CPPA issued its first enforcement advisory, outlining its expectations for businesses in responding to consumer opt-out requests. Last year, the agency's initial effort to amend the CCPA was postponed until March 2024 by a state court to provide covered entities with additional compliance time. Meanwhile, the CPPA has been deliberating further rulemaking on risk assessments, cybersecurity audits, and automated decision-making since 2023.
In January, the CPPA indicated that draft regulations were nearly ready for finalization. However, in March, following a “robust” discussion of the draft rules and public calls for more time for input, the agency decided to retain the rules in draft form and “bring the public even further into the conversation,” as stated by Jennifer Urban, chair of the CPPA board, during a meeting held on May 10.
The CPPA will further discuss the draft rules during a stakeholder session scheduled for Wednesday, accessible both in person and online.
Regarding data broker registration rules, known as the “Delete Act,” which was signed into law by California Governor Gavin Newsom in October, the CPPA has agreed to initiate formal rulemaking. The act mandates data brokers to register by January 31, 2025, and annually thereafter with a $400 fee if they handled data in the previous year. Beginning January 1, 2026, residents will be able to view these registrations and request the deletion of their information.
The transparency provided by the act is “incredibly important for consumers who need to know who has their information so they can exercise their privacy rights,” said CPPA Attorney Liz Travis Allen at the May 10 meeting. Businesses and the public will have the opportunity to provide feedback on the act’s final rules during an upcoming 45-day comment period.
As 17 states have passed comprehensive data privacy legislation, with Vermont introducing a private right of action in its privacy law currently awaiting the governor’s signature, businesses are urging Congress to pass a federal privacy law to streamline compliance efforts. The American Privacy Rights Act (APRA), currently under consideration by the House Energy and Commerce Committee, also includes a private right of action. The bill remains in the early stages and is likely to undergo changes if it progresses.
APRA would override state privacy laws, including California’s, a prospect supported by businesses but strongly opposed by California and other states. Ashkan Soltani, CPPA executive director, wrote to Rep. Cathy McMorris Rodgers (R-Wash.), chair of the House Energy and Commerce Committee, and Rep. Gus Bilirakis (R-Fla.), chair of the Innovation, Data and Commerce Subcommittee, on April 16, urging them to modify the bill to permit states to enforce privacy laws that are stricter than federal law.
“A federal privacy law with sweeping preemption language could freeze protections for the next [30] years,” Soltani stated. APRA should establish a baseline of privacy rights and allow states to “build on top of it,” Urban emphasized. In California, 9.5 million people voted for robust privacy protections, “and they can’t be diminished easily,” she added.
By fLEXI tEAM
Comentários