United States: CPRA Update: CalPPA Gets Started With Inaugural Meeting And Agenda

Just a few months after California officials announced the nominations of the inaugural Board members of the California Privacy Protection Agency ("CalPPA"), the CalPPA released the agenda for its first board meeting on June 14, 2021. The meeting will be held remotely in accordance with California Executive Order N-29-20, but the public may still participate via videoconference or telephone.

Why June 14^th Meeting is Significant: While much of the CalPPA's June 14 agenda focuses on administrative tasks, such as open meeting requirements, the Administrative Procedures Act, conflicts of interest, and subcommittee assignments, this meeting is also expected to mark the CalPPA's first public steps toward developing California Privacy Rights Act ("CPRA") regulations. Notably, according to the agenda, the CalPPA plans to provide official notice to California Attorney General Rob Bonta that the Board will assume rulemaking authority as of July 1, 2021, pursuant to CPRA Section 1798.199.40(b).  The CalPPA may issue new CPRA regulations as well as "adopt, amend, and rescind regulations" under the CCPA.

What's Ahead:  The CalPPA has until July 1, 2022 to adopt final regulations under the CPRA, and businesses will need to closely track these developments as they design their compliance strategy for CPRA (including how to leverage existing CCPA compliance, and harmonize compliance with Virginia's new privacy law).  The CPRA calls for regulations on a vast array or issues, which could materially impact compliance strategies.  Among the different topics include:

• Opt-Outs for Sale, Sharing, and Profiling, and Limiting Use of Personal Information:  CPRA grants the CalPPA the authority to adopt regulations that further define consumers' opt-out rights, and to adopt regulations that define "intentional interactions," which in turn define the scope of exceptions to "sale" and "sharing." The CalPPA is also charged with issuing rules about "profiling" opt-out rights, and this area is worth watching closely because it is not aligned with Virginia's new privacy law.  CPRA defines "profiling" as the "automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements."  A profiling opt-out under CPRA could apply to any first-party data use that meets this definition.  (The narrower profiling opt-out right under the Virginia Consumer Data Protection Act is limited to the "furtherance of decisions that produce legal or similarly significant effects concerning the consumer.")
• Other aspects of opt-out rights that could be initial rulemaking targets include (a) "technical specifications" for global privacy controls; and, with the potential addition of a feature to indicate that the user is under the age of 13 or between 13 and 15 years old; (b) standards for consent to sell or share personal information, or use or disclose sensitive personal information, for businesses that respond to opt-out signals; and (c) "harmonizing" CCPA rules governing privacy notices, opt-out mechanisms, and "other operational mechanisms" to "promote clarify and functionality . . . for consumers."
• Access Requests:  CPRA directs the CalPPA to define the scope of responses to consumer requests for specific pieces of personal information.  CPRA suggests that these regulations may exclude system log and other information that "would not be useful to the consumer," as well as define authentication standards for access to sensitive personal information.
• Business Purposes:  It also is possible that the CalPPA will focus initially on "further defining" business purposes for which contractors and service providers may combine personal information from multiple businesses, and whether there are some functions that may relate to interest-based advertising, for example, that can still be within a service provider scope.

While the CPRA's substantive provisions will not be effective until January 2023, the earlier businesses have insight on how the CalPPA will potentially address these and other areas in the new regulations, the more time there will be to craft, build, and roll out compliance strategies.  Stay tuned for further updates. We will continue to keep a close watch on further developments with the Board and the CalPPA's activities.

How to Join CalPPA's Initial Meeting:

To join the meeting by Zoom videoconference: https://zoom.us/j/94536763262

To join the meeting by telephone: 1 (669)900-9128; Webinar ID: 945 36763262

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.