California privacy board moves forward with draft CPRA regulations

The draft rules put forward by the California Privacy Protection Agency (CPPA) laid out the purposes under which businesses are allowed to “collect, use, retain, and share consumer personal information consistent with consumers’ expectations”; established the rules, procedures, and exemptions for notices and information businesses are required to provide to consumers; and established rules and procedures for handling consumers’ requests to opt out from having their personal information collected, to delete information, to correct information, and to obtain a report containing all the personal information that business has collected on them.

The draft rules also explained the process for how to file a complaint with the CPPA and the scope of the agency’s audit authority.

The draft rules offered cases of companies that could be viewed as exceeding the law’s authority to collect certain types of personal information. For example, a company that provides a mobile phone flashlight app has no legitimate purpose to collect geolocation data on its customers. By contrast, an internet service provider would have a legitimate reason to collect geolocation data to track outages and determine aggregate bandwidth but would not have a legitimate reason to sell that data to a third party.

Other examples of potential law violations included a cloud storage company using personal data to develop an unrelated or unexpected new product, like a facial recognition service, and an online retailer using personal information collected on its customers to market other businesses’ products to them.

In all these cases, businesses would be required to obtain a consumers’ consent before using information in ways that would not be expected as part of the consumer’s original understanding of legitimate uses of their personal data.

Some industry groups argued the draft regulations are adding new requirements to the law.

In a letter to the CPPA dated Tuesday, the Association of National Advertisers said the draft rules “would substantially and materially alter the statutory requirements in the text of the CPRA itself, thus substituting a regulator’s extra-legislative objectives for the specific language of the law.” Several of the proposals “contravene the law by creating requirements that are significantly different from, and in some cases diametrically opposed to, the requirements set forth in the CPRA,” the group said.

According to a blog post by law firm Wilson Sonsini, the draft regulations make mandatory some requirements the CPRA had listed as optional and in several cases exceeds the CPRA’s requirements regarding the disclosure of all personal information collected on a consumer and the right to correct incorrect information that was not collected by the business receiving the correction request.

The nation’s first data privacy law, the California Consumer Privacy Act (CCPA), took effect in 2020. The law provides California residents with privacy rights, including the right to know personal information collected about them by businesses, and requires companies to notify consumers about the personal information they collect. The law also provides consumers with the right to delete that information and stop its sale.

Under the CCPA, enforcement power is held by the state attorney general; under the CPRA, that authority belongs with the CPPA. The agency was granted that power by the state’s voters at the ballot box in 2020.