California Privacy Protection Agency Releases Public Comments to California Privacy Rights Act

At the end of 2021, the California Privacy Protection Agency (“Agency”) released written public comments regarding the California Privacy Rights Act (CPRA), which will go into effect on January 1, 2023.

In its initial request for public comment, the Agency requested comment on the following matters:

1. Cybersecurity audits and risk assessments performed by businesses.

2. Automated decision making

3. The Agency’s audit authority

4. Consumers’ right to delete, right to correct and right to know

5. Opt-out preference signals

6. Consumers’ right to limit the use and disclosure of sensitive personal information

7. Information to be provided in response to a consumer’s request to know

8. Definitions of various terms

Of the public comments, the following is an outline of the most contentious issues:

1. Privacy and Security Risk Assessments—Imposition of Reporting Requirements

• Industry groups' main focus appeared to be that a mandate on reporting of risk assessments would impose an undue and unnecessary burden on businesses and would increase the Agency’s workload—delaying their processes and response time. A prevailing recommendation was that the audit and risk assessments need only be submitted to the Agency upon their request.

• Civil society organizations sought an increase in the scope and requirements for production of audit and risk assessments—seeking a greater burden on businesses and a heightened level of scrutiny.

2. Automated Decision-Making Technology—Arguments as to the Scope and Benefits Thereof

• Many argued for regulation of automated decision-making technology (AI) where the efforts produced would be of “legal or similarly significant effects” to consumers on consumer-based issues such as credit applications. Much of these arguments centered around the fact many AI technologies do not produce a heightened risk of discrimination or computer error, such as calculators.

3. Opt-Out Preference Signals—Implications of Other Privacy Controls

• Many commenters found the requirements relating to opt-out signals would implicate Global Privacy Controls (GPC)—which has its own requirements for opt-out signal—and could create an issue of preemption. Although there are contradicting views on the significance of the GPC with regard to this state-based legislation, the language of the CPRA would need to make clear the role that both requirements play.

4. Definitions—Dark Patterns

• There was much contention over the definition of “dark patterns” and what it could—and, importantly, how broadly it should— encompass under the CPRA.

There are currently several privacy legislations being presented across many states.