Calif. Agency Seeks to Polish Proposed Privacy Rules
The California Privacy Protection Agency board weighed draft changes Friday to proposed state privacy rules required by the 2020 California Privacy Rights Act (CPRA). The board, meeting virtually, showed support for several proposed modifications, which were posted with explanations earlier this month (see 2210170048), while flagging some issues for follow-up in later rulemakings. It was the first board meeting since California Attorney General Rob Bonta (D) appointed real estate developer and CPRA author Alastair Mactaggart a member.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The CPPA board planned to decide what changes to approve to proposed rules before putting them out for 15-days comment. The meeting continued after our deadline. Chair Jennifer Urban said the board may not meet Nov. 4 as scheduled if it had finished reviewing the modifications Friday or Saturday. The board plans to cover various administrative items at a December meeting, the chair said.
California could finalize the CPRA rules by the end of January, barring any delays, said CPPA General Counsel Philip Laird. The goal is to have an approved rules package in early 2023, he said. Urban stressed that rules could later be revised if the agency observes problems after they’re adopted.
The board spent about an hour discussing a concern by board member Lydia de la Torre about a section listing “purposes for which a business may collect, use, or disclose sensitive personal information without being required to offer consumers a right to limit.” It’s less challenging to list what you prohibit than say everything you allow, said de la Torre. The Santa Clara University Law School professor said she “can think of a number of use cases that really don’t fit” into the current text. Board member Vinhcent Le said he’s against overly broadening what’s allowed. De la Torre said that’s not her intention. Urban and Deputy Attorney General Lisa Kim, representing CCPA staff, said they preferred not to edit the section during Friday’s meeting and the board discussed returning to the item in a later rulemaking.
Mactaggart suggested looking again later at a removed draft rule requiring companies to give users confirmation about their choice not to share data. “It would be nice to see on a website whether they’ve opted me out,” he said. Urban and de la Torre agreed the issue should be considered more in the future.
Mactaggart raised concerns with removing a section requiring third parties to “check for and comply with a consumer’s opt out preference signal unless informed by the business that the consumer has consented to the sale or sharing of their personal information.” Deleting that provision may weaken the law, he said. It was removed to simplify implementation, but staff will consider it in future rulemaking, said Kim. Mactaggart voiced support for a proposed change meant to make it simpler for consumers to decline when businesses request more information after detecting a consumer’s opt-out signal.
De la Torre earlier asked why one proposed change would delete two examples of prohibited dark patterns: choices where a "yes" button is more prominent than the "no" button and where the option to participate in a financial incentive program is selected by default or featured more prominently than not participating. CPPA staff sought to simplify implementation, but these examples could be reintroduced if there seems to be a problem, said Kim. The board should remember to revisit this, Mactaggart said.
Le asked about a proposal to delete a requirement that businesses list names of all third parties it allows to control collection of personal information. Kim said the change was made to simplify rules, but staff will watch how things play out. Le, a lawyer at consumer group the Greenlining Institute, asked if the CPPA could instead require businesses to say how many third parties were involved. Staff considered that but is weighing costs and benefits since there could be “some fluidity” with the number of third parties, said Kim.
This month's draft edits “throw businesses a bone” on various issues, posted Robinson+Cole lawyers Thursday. The latest draft “softens one of the more revolutionary requirements: universal opt-out signals,” they said. “Under the modified rules, businesses will only need to respond to browser opt-out signals if they sell or share personal information and have the option to display the status icon, but no longer are required to.” Consumer Watchdog raised concerns with recent edits (see 2210250053).