Calif. Privacy Agency Presses Ahead, With Eyes on Congress
The California Privacy Protection Agency is bracing for the imminent introduction of an “even less privacy-protective” U.S. privacy bill than the version it opposed last year, said Maureen Mahoney, deputy director-policy and legislation, at a CPPA board virtual meeting Monday. The board also received updates on advancing California bills, an agency strategic plan and next steps for its 2020 California Privacy Rights Act (CPRA) rulemaking.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
A revised American Data Privacy Protection Act (ADPPA) “could be introduced soon and marked up and even hit the House floor this spring or early summer,” Mahoney told the board. It will probably face Senate resistance, she predicted. The CPPA board voted last year to formally oppose the ADPPA because it would have preempted California’s more restrictive privacy law (see 2207280041). The agency is “coordinating closely” with the state legislature and governor’s office, and Mahoney is in Washington this week for legislative briefings including a presentation to California’s congressional delegation, she said.
Meanwhile, the CPPA told the state legislature about concerns staff have with a bill on automated decision-making, said Mahoney. AB-331 would prohibit using such systems in a way that results in algorithmic discrimination. CPPA staff worry “the legislature is seeking to step into an area where the agency is already tasked with issuing regulations,” she said.
The agency is monitoring several other California bills affecting privacy, said Mahoney: SB-362 would transfer a data broker registry to the agency from the state Justice Department and create a global deletion system. AB-947 would add immigration and citizenship status to the California Consumer Protection Act’s definition of sensitive personal information. AB-1194 would say businesses aren’t required to comply with government requests for emergency access to personal information on abortion and contraception. AB-1546 would extend to five years the statute of limitations for claims brought by the state attorney general under the 2018 California Consumer Privacy Act (CCPA), aligning it with what was set for the privacy agency.
Two board members questioned a $118,488 contract with a consultant to develop a strategic plan. The privacy agency executed the agreement April 26 with consulting firm Sorello Solutions, said Von Chitambira, deputy director-administration. The plan will include the agency’s mission statement, vision and goals for the next three years, she said. The CPPA is working with the contractor to set a timeline to complete the plan, an agency spokesperson said.
"What is this going to tell us that we don't know already?" asked board member Alastair Mactaggart, who wrote the ballot initiative that became the California Privacy Rights Act. The plan will spell out CPPA priorities for staff and the public and will allow the agency to develop key performance indicators for measuring progress, answered Chitambira. The state requires its agencies to have strategic plans, she added. Mactaggart said he understands if it were a state requirement, but he isn’t a “huge fan of paying this kind of money to consultants.”
The board shouldn't wait to discuss agency enforcement priorities, with CPRA enforcement set to begin July 1 (See 2304040043), said board member Lydia de la Torre. She asked if the consultant group had any experience with data privacy. No, said Chitambira, but Sorello has worked with several different government agencies on a range of other subjects, she said.
The board discussed how to prioritize potential CPRA rulemaking topics, which the agency, in a document circulated before Monday’s meeting, listed and assigned difficulty levels. The CPPA also released a meeting calendar.
Some “easy” rulemaking proposals included adopting language to harmonize with Colorado privacy regulations and requiring businesses to allow consumers to request all their personal information, not just 12 months. “Easy to medium” difficulty proposals would allow consumers to withdraw consent at any time and require businesses to comply with opt-out requests “in a time frame that is commensurate to the time frame it sells/shares it.” The agency rated a proposal to identify “purposes for which businesses can use consumer personal information” as “medium to hard.”
It would be “hard” to draft regulations on employee and business-to-business data, the CPPA document said. Other high-difficulty proposals included providing model notices and other disclosures, setting a reading standard to make disclosures more accessible and requiring social media platforms to provide application programming interfaces for consumers’ agents.
The board voted 4-0 for a motion to give staff much discretion to decide when to work on proposals. Board chairperson Jennifer Urban and member Vinhcent Le specifically supported prioritizing model notices and a separate item to release templates or standard forms for service provider contracts. They don’t have to happen right away, said Le, who noted he’s sensitive to diverting staff resources from rules that are already in progress. He and Urban also noted it may be good to allow time to see what businesses develop before putting out templates.
Mactaggart supported moving ahead with B2B and employee data rules, including if employment-related communications are covered by a trade-secrets exception. The statute requires the agency to address a proposed rule on requiring specific disclosures for mobile apps before downloading, he noted. However, Mactaggart said he would put all of the proposed items on hold in favor of focusing on finishing rules about artificial intelligence and automated decision-making. "We are it for the foreseeable future" in terms of regulating AI in the U.S., he noted. The meeting continued after our deadline.