Los Angeles, CA—After nearly a year of rulemaking and over 1,000 pages of public comments later, the country’s first dedicated data privacy agency on Friday approved regulations aimed at giving consumers unprecedented control over their private data.
The California Privacy Protection Agency (CPPA) unanimously voted Feb. 3 to send its first rulemaking package to the Office of Administrative Law (OAL) for final approval. The board will submit the package within two weeks and OAL has 45 days to approve it. That means regulations for the amended California Consumer Privacy Act (CCPA) will be on the books in April. Following the deletion of some pro-consumer regulations, no further changes were made to the law after 450 pages of public comment, according to the agency.
“Personal data selling is an invisible economy that is used to track and profile us. Although the agency declined to make some important changes to the regulations, the public needs these regulations now more than ever in order to take control of what is theirs,” said Justin Kloczko, Consumer Watchdog’s privacy advocate.
The law empowers consumers with rights to stop companies from abusing their personal information, including:
The ability to opt-out of data being shared with third parties. Many pointed out that the original version of the law was flawed because it only prevented the ‘sale’ of data, but not the data sharing that fuels the business model of many social media and advertising companies. The pipeline sending private data to third-parties is now cut.
Consumers can now prevent the use of sensitive data by first parties, including based on race, location, sexual orientation, health and religious beliefs. Businesses must allow people to exercise their privacy preferences through a global signal sent to them, and through a “Do not Share/Sell My Information” homepage button.
The right to delete or correct inaccurate personal information a business has compiled, and to notify third parties of requested changes. CPRA also expands deletion requests by mandating businesses notify third parties who have the data.
Businesses also must provide a list of categories of sensitive information collected, whether personal information is sold or shared, and the length of time the business intends to retain each category of personal information.
Data use needs to be proportionate to the purpose. A company can’t use data for a reason that’s completely unrelated to the reason the consumer provided it. For example, a flashlight app cannot use your geolocation for it to function.
Originally intended to meet a July 1, 2022 deadline, the regulations were pushed back a couple of times by the small staffed agency which saw the departure of two board members. There have been no modifications to the regulations since the last public comment hearing in October.
“Four-hundred and fifty pages of comment were considered, and we determined no further changes were necessary,” said Lisa Kim, legal counsel to the privacy board, during Friday’s board meeting.
Those changes the agency declined to make included closing a 15-day window to delete personal information.
“Even when someone opts out, personal information will still be sold because businesses are granted a two-week grace period. Businesses should be forced to honor a person’s opt-out request just as soon as they are able to sell your data, which privacy experts say is mere seconds,” said Kloczko.
In its reasons for declining to eliminate the window, the board said the maximum 15-day window balances consumer opt-out rights with the burden of businesses processing those rights. It also said, “Further analysis is required to determine if a regulation on this issue is necessary.” It seems likely the issue will be revisted in the future.
The board also deleted the requirement that the business identify the names of the third parties that control the collection of personal information. Consumers deserve to know directly from those who shared or sold their data who exactly will be handling their personal information.
The board also declined to revert to its previous regulation stating that a consumer’s opt out choice be displayed. A business is not required to display on its website whether it has processed a consumer’s choice to opt-out of sale/sharing personal information, leaving people in the dark about whether they have exercised their privacy rights.
Enforcement of the law begins July 1. The board will soon be taking comments for its next round of regulations dealing with risk assessments, audits, and automated decision-making.