California's landmark privacy rules take effect in two months
Welcome to the latest Truth in Privacy dispatch, Consumer Watchdog's tech and privacy newsletter.
Two years since the passage of the voter-approved California Privacy Rights Act (CPRA), the board tasked with drawing regulations for the law is nearing the finish line.
Over the weekend the California Privacy Protection Agency (CPPA) approved a package of modifications to the law, triggering a final 15-day comment period and bringing the public one step closer to being empowered with landmark data privacy protections. The amended California Consumer Privacy Act (CCPA) takes effect in just two months.
While the law gives unprecedented control to users over their personal data—from limiting its use to stopping third-parties from obtaining it—the agency walked back certain pro-user regulations and passed on addressing other shortcomings. For example, the board deleted the requirement under section 7012 that businesses identify third-party recipients of data. This move is worrisome, as it will help keep secret the largely incognito world of third-party data miners. However, third-parties must disclose that they receive the data via a link, although it is unclear how users would be notified. The board in its reasoning said the regulation change was to “simplify implementation at this time.”
The deletion garnered some discussion among board members, including Vinhcent Le, who floated the idea of users being informed as to the number of recipient third parties to “strike a balance.” At the end, Board Chair Jennifer Urban said the issue would be tabled for the future, although given the layers of bureaucracy that come with rule making, revisiting the regulation will likely be a drawn-out process.
In addition, the board deleted the requirement that businesses display to consumers whether they have exercised their privacy choices, including opting out of the sale/sharing of their personal information. This applies to whether the privacy choice is made individually on a web site or via a global privacy preference signal. With this deletion under sections 7025 and 7026, it is unclear how users will know where they have made their privacy choices in the sea of websites that are visited daily. The board said the “revision conforms the subsection to existing requirements for businesses.”
Board member Lydia de la Torre and Prop 24 founder Alastair MacTaggart, sitting in on his first meeting as board member, expressed concern about seeing the display requirement go. The board agreed to also address the modification in the future.
Maybe more alarmingly, a 15-day window for businesses to comply with requests to stop selling/sharing data and to limit data use remains on the books, a loophole that is contrary to the essence of the law and not supported by the statute. Data while browsing is sold to third parties in seconds, and if entities have over two weeks to comply with requests, personal data will still have plenty of time to get into the hands of others. As Consumer Watchdog recently highlighted in a new report, a person’s browsing habits are sold about 750 times a day, amounting to an industry worth billions built off our most sensitive information.
Although the 15-day regulation currently states that a business should honor a request “as soon as feasibly possible,” a business will cite 15 days as “soon as feasibly possible.” If a business can sell personal information in seconds, it should also be able to stop selling personal information in the same amount of time.
Following the end of the 15-day public comment period, a final packet of regulations will be submitted to the Office of Administrative Law. The agency has 30 days to approve or deny the regulations, but the CPPA said the timeline is looking more like 45-50 days. The attorney general’s office will begin enforcing the new amendments to the law beginning Jan. 1 2023, with the privacy board taking over enforcement in July 2023.