In November 2020, California voters adopted the California Privacy Rights Act (“CPRA”) ballot initiative, which was developed to strengthen and expand upon the underlying California Consumer Privacy Act (“CCPA”) that the state legislature adopted in 2018. While the CPRA provides for significant new consumer rights and responsible data processing obligations on covered businesses, many questions regarding the scope and practical operation of these requirements remain unresolved. A recently released set of public comments on a CPRA rulemaking process brings some of these contested issues into sharper focus.
The CPRA delegates both rulemaking and enforcement authority to a brand new, privacy-specific body, the California Privacy Protection Agency (“the Agency”). Following the appointment of a governing board, the Agency took its first public-facing steps towards rulemaking in September, 2021, issuing an invitation for comment on 8 topics focused on new and undecided issues introduced by the CPRA. Last week, the Agency published approximately 70 submissions that it received during the course of its 45-day comment period.
A variety of individuals and organizations filed comments including trade associations and companies representing diverse industry sectors, consumer rights groups, and academics. One noteworthy filing is from Californians for Consumer Privacy, a nonprofit organization helmed by Alastair Mactaggart. Given the group’s role in drafting the California Privacy Rights Act ballot initiative and driving the public advocacy campaign that led to its adoption, these comments are indicative of the intent behind some of the ambiguous and contested provisions of the CPRA.
Across hundreds of pages of comments, stakeholders displayed sharp disagreements on what the CPRA does and should require on multiple consequential issues. These contested topics for CPRA rulemaking include (1) how businesses should conduct and submit privacy and security risk assessments, (2) the ways that automated decisionmaking technologies shall be regulated, (3) whether the CPRA requires the recognition of user enabled opt-out signals, (4) the scope of the Agency’s audit authority, and (5) how the Agency should further define and regulate manipulative design interfaces known as “dark patterns.”
1. Privacy and Security Risk Assessments
The CPRA brings California into greater alignment with other global and