CPRA Draft Rules Draw Concerns from Industry, Advocates
Businesses said proposed California privacy rules are too restrictive, but consumer privacy advocates said they’re too weak, in comments at the California Privacy Protection Agency. The CPPA received feedback Monday on revised draft rules to implement the 2020 California Privacy Rights Act (CPRA), sequel to the 2018 California Consumer Privacy Act (CCPA). The CPPA board approved the revised draft rules last month (see 2210310074). The CPRA takes effect Jan. 1.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Proposed changes to rules on collecting and using personal information “create overly prescriptive requirements that conflict with the intent of the CPRA,” said the Computer and Communications Industry Association (CCIA). Rules "should incorporate reasonable and proportionate standards to craft principles that balance innovation and consumer privacy," but the revised draft rules propose "a complicated and subjective multi-factor balancing test that would apply to all collection, use, retention, and/or sharing of personal information,” CCIA commented. “The highly open-ended nature of these requirements would place businesses in a constant state of uncertainty regarding whether they comply.”
Don’t force businesses to recognize global opt-out preference signals, said CCIA. The association reads the CPRA as making it voluntary, it said. Don’t limit how a company uses data across its products if the privacy notice is clear about those potential uses, CCIA said. “Consumers obtain substantial benefits from sharing data across services, such as using data from a reading app to personalize book recommendations in an online store (whether both services are offered by the same business).” The CPPA should focus its dark patterns rules on “prohibiting false or misleading language that could impair or interfere with a consumer's ability to exercise their choice.”
Several recent changes “set up additional barriers to consumers' ability to exercise their rights” under CCPA and CPRA, Electronic Frontier Foundation, American Civil Liberties Union-California Action and four other privacy groups wrote. "Changes to the definition of 'disproportionate effort' will make it easier for businesses to refuse to fulfill valid consumer requests to know and correct information, and to refuse to pass those requests on to third parties with which they have shared information,” they said. Removing illustrative examples from the draft rules "makes it easier for businesses to mislead and confuse consumers, reduces the clarity of the regulations, and weakens the protections of the CCPA.”
The consumer privacy groups disagreed with removing a proposed rule to require businesses to notify customers which third parties they allow to control personal information. That "makes it substantially more difficult for any consumer to understand what will happen with their information after it is collected,” EFF and the others said. Also, they opposed removing a requirement for businesses to notify third parties of requests to opt out or limit use of sensitive personal information. "The combination of being required to file duplicative requests with each separate entity and being kept in the dark about which companies control their data in the first place may make it impossible for many consumers to exercise their rights at all.”
CPPA revisions weakened dark patterns rules, the consumer advocates said. “By only prohibiting language that would 'impair or interfere' consumers’ choice, it removes a class of dark patterns that are designed to nudge, manipulate, or influence.” Having to consider a business's intent “is costly and reduces clarity of the regulations,” they said. The possibility that consumers may have to pay more to protect their privacy still worries advocates, they said. "We remain disappointed that draft regulations leave mostly untouched the extreme license given to businesses to compute ‘the value of the customer’s data’ according to almost any formula or method that they might choose. The lack of specific guidance will likely result in a crazy-quilt of methods to measure the value of the customer’s data to the business.”
The inclusion of a 15-day window for complying with consumer requests runs counter to the essence of the law and isn’t supported by the statute, Consumer Watchdog commented. Companies are allowed 15 days to comply with requests to stop selling or sharing data and limit data use under the proposed rules. If a business “can sell personal information in seconds, it should be able to “stop selling personal information in the same amount of time,” CW said, calling it a loophole. The privacy board’s decision to remove a requirement under section 7012 that businesses “identify third-party recipients of data” is “worrisome,” said CW: The decision will help the activity of third-party data miners “secret.” The “essence of the law” is to restrict personal data from “falling into the hands of third parties, but if users aren’t told who will be getting their data, it will deter them from exercising their rights,” said CW.
CW also opposed the board’s decision to remove requirements under sections 7025 and 7026 “that businesses display to consumers whether they have exercised their privacy choices, including opting out of the sale/sharing of their personal information.” This decision means it will be unclear “how users will know where they have made their privacy choices in the sea of websites that are visited daily.”