Get ready for this. We have five states that need to issue regulations and every one will have multiple iterations. Here is the current state of California’s regs, issued by the CPPA.
In addition to the modified regulations, they also issued 16 pages of explanation.
These takeaways are from Daniel Goldberg of the law firm Frankfurt Kurnit Klein + Selz. There is a link at the end for all of the gory details.
- There are 4 days of hearings about the regs scheduled for this month. Given that the regs take effect in 3 months, this is likely close to the finished product for now.
- It is possible that they could approve some of the regs but not all at this time. There are also more regs still not released, so this is not the end of it.
- If you liked the first version of the regs, you will love this version, he says, because it is substantially similar. And likely close to the final version.
- They did add a few definitions; nothing major.
- The regs now say that a business’s processing of information must be reasonably necessary and proportionate to achieve the purpose for which it was collected or were disclosed. It spends multiple pages explaining this.
- Businesses no longer need to name the third parties that control the collection of data in the privacy policy.
- The opt out language is noticeably looser, especially around corralling third parties, but we recommend you get your arms around this anyway, since other laws may still require it. Even though California may make this looser, it does not look like Colorado will, unless they change their mind.
- There is one new exemption from getting sued for using dark patterns. You had to know there was a problem with what you were doing.
- There is also an exception to offering opt out for sensitive personal information where you don’t use it to infer characteristics about the consumer and state so publicly.
- The modified regs remove some of the most stringent requirements around making sure that personal information is accurate.
- Service providers are allowed to use personal information for certain INTERNAL use or for security issues, even if that is not specified in the contract.
- It also clarifies how companies that provide services to nonbusiness entities could still be subject to CPRA.
- The regs also clarify how the opt-out rules work if the business asks a consumer to opt back in after the one year cooling off period.
- Finally, the explanation clarifies that a person could be a third party in one context and a service provider or contractor in another.
There is still significant pieces that are missing like cybersecurity audits, privacy risk assessments and other rules. Stay tuned.
And as I said there are more states coming. I will write about what Colorado is doing soon.
Credit: Frankfurt Kurnit