The California Privacy Protection Agency unveiled a preliminary draft of its proposed privacy regulation on May 27, hidden in the announcement of its next public meeting on June 8.
The agenda for this public meeting includes the “Discussion and Possible Action Regarding Proposed Regulations Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020 (CPRA), Including Possible Notice of Proposed Action.” The material posted for this meeting included a copy of the Draft California Consumer Protection Act (CCPA), and the agency will likely discuss this draft in the meeting next week.
The 66-page draft included seven pages of detailed requirements for obtaining and implementing consumer direction regarding the sale and sharing of personal information. However, according to some legal experts, it does not cover a number of privacy hot topics mentioned in the grant of rulemaking authority to the agency.
The first article of the draft regulation begins imposing restrictions on businesses to collect, use, retain and share consumer’s personal information only to the extent that is reasonably necessary and proportionate to achieve the purpose for which the personal information is collected.
The main problem is that the draft paper doesn’t offer a clear definition of when is “reasonably necessary and proportionate,” and the only clarification provided by the agency is that this is “what an average consumer would expect when the personal information is collected.”
The agency provided some illustrative examples to show what an average consumer would expect, but they are just mere examples. For instance, if a business provides a mobile flashlight application, this business shouldn’t collect or allow another business to collect consumer geolocation information through its mobile flashlight app without the consumer’s explicit consent, as an average consumer wouldn’t expect that information to be collected.
Another example is cloud storage services. An average consumer would expect the collection of data for these purposes, but the business shouldn’t use the personal information to develop new products, such as facial recognition, without the user’s consent.
Another area that may deserve further attention in future discussions is providing a clarification whether the law is opt-out or opt-in. The CCPA is an opt-out law, meaning that consent is only required for the sale or sharing of personal information related to consumers under age 16 or a secondary use not disclosed at the time of collection.
However, the proposed rule seems to require opt-in consent for many collections of sensitive personal information. In the examples provided by the agency to show what an average consumer would expect, the rule suggests that explicit consent would be required for the collection of additional information.
The draft regulations do not set forth any rules related to the handling of personal information relating to privacy requests from employees or individuals who interact with a business in a business capacity.
In terms of a timeline for approval, the CPRA requires the CCPA to finalize regulations by July 1, 2022, but given the state’s protracted rulemaking process, the final regulations are unlikely until January 2023. In the meantime, the agency is likely to discuss the draft regulations in the next meeting on June 8.
See also: Big Tech, Democrats and Republicans Seek Federal Privacy Law Deal
Unlike other countries, the U.S. has never enacted complete consumer privacy legislation, but there are states who have legislated in this space. U.S. lawmakers have introduced new federal legislation to regulate some privacy aspects. For instance, Senator Richard Blumenthal introduced a new bill in February — the Kids Online Safety Act — that seeks to protect children’s privacy and data.
However, discussions in Congress to pass data privacy legislation have stalled as lawmakers disagree on various issues.