.svg)
California’s new data privacy agency has started the rulemaking process to level up data protection rules in the state and posted the first version of proposed regulations, albeit with several notable omissions.
In a June 8 public meeting, the California Privacy Protection Agency (CPPA) began the formal process to make rules under California’s new data protection legislation.
The draft proposed regulations have been issued in accordance with the California Privacy Rights Act (CPRA), which transferred rulemaking and enforcement authorities from the state attorney general (AG) to the newly created CPPA.
California has been considered the pioneer in protecting consumers’ privacy in the US following the passage of the California Consumer Privacy Act (CCPA) in 2018. Californians then passed the CPRA in 2020 to further empower consumers with data privacy rights.
The draft rules now seek to amend the final regulations previously issued by the California AG and extend them in line with the CPRA.
What’s in and out?
The proposed regulations set out key provisions included in the CPRA, such as rules and procedures for consumers' right to delete, correct and obtain personal information, and establish regulations governing the use and disclosure of a consumer’s sensitive personal information.
It also lays down rules and exceptions to ensure that the notices can be easily understood by the average consumer, and discusses purposes for which a business can collect and share consumer personal information consistent with consumers’ expectations.
The regulations provide detailed guidance on many business obligations and “helpfully include a lot of examples to help explain obligations and exceptions”, Alan Friel, a partner at Squire Patton Boggs, told VIXIO.
However, the proposal makes some key omissions.
It does not address automated decision-making, profiling, cybersecurity audits and risk assessments.
In addition, the proposed provision on mandatory opt-out preference “signals conflicts in material ways with the language of the statute and will certainly be challenged during the upcoming public comment period”, Friel noted.
He added that the regulations also fail to include any provisions that will call for the treatment of human resources data subjects differently than consumers and provide that a company may not retaliate against job applicants, employees or contractors that exercise their new expansive privacy rights.
CPRA and the GDPR
The CPRA aims to level up the data privacy rights of Californians and put it on par with the European Union’s General Data Protection Regulation (GDPR).
Similar to its European counterpart, the CPRA establishes the principles of storage limitation and data minimisation, and provides transparency as to consumer profiling and automated decision-making processes.
Going even beyond the GDPR, the CPRA requires businesses to provide an easy "do not sell my information" button and allows for browsing with no pop-ups or sale of data.
“Although CPRA is inspired by GDPR there are differences and full compliance with GDPR is insufficient in several material ways under CPRA,” Friel said.
“Companies with GDPR programmes, however, should be able to modify their programmes for California relatively easily assuming their California personal information data practices are understood and capable of being applied to the compliance programme,” he added.
The regulations will apply only to large companies, those with more than $25m in worldwide revenues, or those that process personal information of more than 100,000 Californians per year or derive more than 50 percent of annual revenues from selling personal information.
The agency’s board has approved the draft proposed regulations for the formal rulemaking process, which means that the agency’s staff will now start to prepare a notice of proposed rulemaking action.
The public will have the opportunity to provide feedback once the notice is published in the California regulatory notice register.
