California’s Privacy Protection Agency is finally making moves on regulations that have been years in the making. The California Privacy Protection Agency (CPPA) was established in order to enforce privacy regulations in the wake of the California Privacy Rights Act (CPRA) passing in November 2020. The role of this agency is to update existing regulations, adopt new ones, and audit businesses for compliance with both the CPRA and the California Consumer Privacy Act (CCPA). The CPPA has recently released a set of draft regulations for the CPRA, and while the regulations are not yet final, they do give insight into what businesses can expect in a world with patchwork data privacy legislation.
The current draft regulations are an incredibly detailed set, covering everything from how notices should be worded to how consumer opt-out requests should be handled. While it’s advisable to peruse the regulations yourself, we’ll try to give a quick overview of a few things your business should pay careful attention to to make sure you’re in compliance with the new CPRA regulations.
You will need to make sure your business is seeking consumer consent before collecting data—and not collecting data that is irrelevant to the purpose of your business. The current draft of the CPPA’s regulations require businesses get explicit consent from consumers before collecting, using, retaining, and/or sharing the consumer’s personal information for “any purpose that is unrelated or incompatible with the purpose(s) for which the personal information collected or processed.” Along with consent, they also require the reasonable expectations of the consumer to be taken into account for data collection purposes. Basically, users should expect that an app actually records the data that the business is collecting. For example, a mobile flashlight app should not collect or sell geolocation data because a user would not expect a mobile flashlight app to be collecting their geolocation data in the first place.
Your business should also double check that all your notices and disclosures are in compliance with the CPRA’s new guidelines. These guidelines introduce a few new notices and describe how they should be worded and designed. The CPRA requires that businesses provide consumers “notice of right to opt-out of sale/sharing or the alternative opt-out link” and notices of what categories of information are being collected at or before time of collection, and whether it’s sold or shared.
As far as wording and design, the regulations require that notices and disclosures should be easy for users to understand and not make use of manipulative choice architecture. They specifically require that disclosures and notices have symmetry of choice when asking for consumer consent (e.g. “yes” and “no,” not “yes and “ask me later”) and are prohibited from using shaming language (like making users click through a list of reasons why opting out is a "bad idea”).
California has been a trailblazer for consumer data privacy laws. While the US does not currently have any comprehensive federal data privacy regulations, we can expect laws similar to California’s in the federal pipeline in years to come. We are already seeing more privacy laws like California’s pop up at a state level. This means it’s wise for businesses to start considering their practices and policies now, well before the July 2023 date for enforceability of California’s regulations. Bringing your business into compliance with these new regulations will require careful time and attention from multiple departments across your organization, including IT and legal. While this law only applies to for-profit organizations located in California, or organizations that do business in California, it still maintains relevance to businesses outside of California, especially when more and more states are introducing similar privacy legislation.
Consumer rights under the CPRA include:
This list is by no means all-inclusive—the draft regulations are 66 pages long and quite detailed. While these regulations are still a draft it’s best to start your organization down the path of compliance well before July 2023.
Clear Law Institute’s customized Cybersecurity Awareness and Data Privacy Training course is designed to educate your workforce and ensure your organization's practices and policies are in line with the latest regulations. This course teaches employees the knowledge they need to understand and avoid cyber threats through practical examples.
By educating employees on security threats and how to report data breaches, employers are reducing the risk of such attacks and the crippling impact they can have on the workplace. That makes cybersecurity training vital for every employer.
Learn more about Clear Law Institute’s online cybersecurity training, Cybersecurity Awareness and Data Privacy Training.