In November 2020, California voters approved Proposition 24, also known as the California Privacy Rights Act ("CPRA"). The CPRA expands the consumer data privacy protections present in the more widely-known California Consumer Privacy Act ("CCPA"). Among other measures, the CPRA created the California Privacy Protection Agency (the "Agency"), which is tasked with CPRA rulemaking. The Agency recently put out a call for comments on particular topics that affect businesses that collect California resident consumer data.
What topics are in the CPRA rulemaking notice?
The Agency's notice contains several topics of interest concerning its initial rulemaking efforts, notably those that are not covered by existing CCPA regulations. Of particular note are rules surrounding automated decision making, Agency privacy audits, and responses to specific consumer requests for data information.
Automated decision making technology is also referred to as "profiling" in the proposed rulemaking. It includes software that can evaluate a consumer based on his or her data, including work, income, health, interests, and location-related information. The Agency is fashioning rules to define: the scope of activities which constitute "profiling" or "automated decision making;" when consumers may obtain information about a business's use of such technology (and how businesses should facilitate those requests); what information about automated decision making qualifies as providing "meaningful information about the logic" of the process; and the scope of a consumer's right to opt-out of being part of an organization's automated decision making. With so many businesses dependent on using consumer data to target ads, the ultimate rules promulgated by the Agency should significantly impact the nature of this type of targeting in the future.
The CPRA also gives the Agency the right to audit a business's CPRA compliance. The Agency has requested comment on how to define the scope of its audit authority, procedures and criteria for exercising this authority and choosing which businesses to audit, and how to protect consumers' private data from disclosure during audit. Businesses that depend on collection, use, and sharing of consumer data should pay extra attention to this particular set of rules. Finding a balance between an "any one at any time" and a "wait until there is a problem" approach will dictate how robust the Agency's auditing function will prove to be.
Finally, the Agency is crafting rules on information that businesses must provide to consumers upon request. Like the CCPA today, the CPRA requires that businesses disclose specific pieces of information to consumers for the 12-month period preceding the request. The CPRA also contemplates requiring businesses to provide information beyond the 12-month period unless it is impossible or "requires disproportionate effort." By and through its rulemaking, the Agency plans to define what "impossible" and "disproportionate effort" mean.
Why does the Agency's CPRA rulemaking matter to my business?
California has been at the forefront of consumer data privacy for years, most notably with the CCPA's passage in 2018. Now, a new state agency will solidify and expand upon these consumer data protections. If your business relies on consumer data, then these new CPRA rules will be critical. For example: Does your company rely on algorithms or AI to help drive marketing campaigns? Then the automated decision making rules will affect you. Does your business have consumer data privacy records that go back for each consumer more than 12 months? Then, the auditing and information response rules matter to you.
Hire experienced privacy attorneys.
Almost every business relies on consumer data in some way to drive its marketing strategy. Consumer data privacy regulations are quite nuanced and failure to comply may result in state investigations, fines, or even lawsuits. Today, with so many businesses relying on consumer data and AI, staying CPRA compliant could not be more important. Keeping track of all of the regulatory changes and making sure that your data collection and privacy policies adjust is a full-time occupation in itself. But you can avoid much of this time, money, and headache by hiring experienced data privacy attorneys.
Similar Blog Posts:
How Does the Colorado Privacy Law Compare to the CCPA?
California Attorney General Announces New CCPA Changes
How Does the CPRA Compare to the GDPR? Ask a CPRA Lawyer
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
