top of page

The California Privacy Commission advances proposed CPRA regulations

At its board meeting on Wednesday, the state agency tasked with enforcing the soon-to-be-enacted California Privacy Rights Act (CPRA) revealed a draught of the data privacy law's guidelines.

The California Privacy Protection Agency's (CPPA) proposed rules outlined the purposes for which businesses may "collect, use, retain, and share consumer personal information consistent with consumers' expectations"; established the rules, procedures, and exemptions for notices and information businesses are required to provide consumers; and established rules and procedures for handling consumers' requests to opt out of having their personal information shared.

The proposed rules also detailed the procedure for filing a complaint with the CPPA and the agency's auditing jurisdiction.

The proposed guidelines included examples of businesses that may have exceeded the law's authorization to gather certain categories of personal information. A corporation that offers a mobile phone flashlight application, for instance, has no valid need to gather geolocation data on its clients. In contrast, an internet service provider would have a valid motive to gather geolocation data to track failures and calculate aggregate bandwidth, but not to sell this data to a third party.

Other potential law violations included a cloud storage company using personal information to develop an unrelated or unexpected new product, such as a facial recognition service, and an online retailer using personal information collected on its customers to market the products of other businesses to them.

In each of these instances, firms would be obliged to get a consumer's agreement before to utilising their personal data in ways that were not first disclosed.

Some business organisations contended that the proposed regulations introduce additional legal obligations.

In a letter to the CPPA dated Tuesday, the Association of National Advertisers said the draft rules “would substantially and materially alter the statutory requirements in the text of the CPRA itself, thus substituting a regulator’s extra-legislative objectives for the specific language of the law.” Several of the proposals “contravene the law by creating requirements that are significantly different from, and in some cases diametrically opposed to, the requirements set forth in the CPRA,” the group said.

The draught regulations, according to a blog post by the law firm Wilson Sonsini, make mandatory certain requirements that the CPRA had listed as optional, and in several cases exceed the CPRA's requirements regarding the disclosure of all personal information collected on a consumer and the right to correct incorrect information that was not collected by the business receiving the correction request.

The California Consumer Privacy Act (CCPA), the nation's first data privacy law, went into force in 2020. The legislation grants California citizens privacy rights, including the right to know what personal information firms have gathered about them, and compels businesses to educate customers about the personal information they collect. In addition, the legislation gives customers the right to erase this information and prevent its sale.

Under the CCPA, enforcement authority is with the state attorney general, but under the CPRA, it resides with the CPPA. Voters of the state granted the agency this authority at the 2020 ballot box.



bottom of page