The California Privacy Protection Agency (CPPA) Board held a public meeting on August 24-25 at the Elihu M. Harris State Office 1515 Clay St. Oakland, CA, and online virtually, to hear public comments as part of the CA Consumer Privacy Rights Act (CPRA) rulemaking process. The CPRA effectively amends the California Consumer Privacy Act (CCPA) of 2018. The new rules are scheduled to go into effect on Jan 1, 2023, when the CPPA will also assume enforcement duties along with the CA Attorney General. A recording of the sessions is available on the CPPA website.
Public Comments on CPRA Draft, CCPA Compliance Deadline and Business's Response to Consumer Requests under the Bill
As before, public comments fall into two camps. One view comes from small and medium businesses and SMB advocates who claim that:
- The delay in the CPRA rulemaking process won't give them enough time to comply by Jan 1, 2023.
- The CPRA/CCPA regulations make it more difficult for smaller businesses to complete online.
- The CPPA has underestimated the cost and impact of the CPRA/CCPA regulations on SMBs.
- Consumers will be denied a personalized online shopping experience.
Consumer Privacy Rights under CCPA
Right to Know: How, why, and what
Right to Delete: Personal data
Right to Opt-out: Of Data Collection and Sharing
Right to Non-Discrimination:
Right to Correct: Inaccurate personal data
Right to Portability:
Right to Private Action:
On the flip side of the argument are consumers, privacy advocates, and security & technology professionals. Several consumers told stories of attempting to exercise the right to know, right to correct, and right to delete without success. Nordstroms, NBC and Samsung were mentioned as having obfuscated, tedious mechanisms that seemed to fail even after the consumers spent significant time trying to get them to work. In one case, a consumer told the board that they discovered severe discrepancies in their medical records two years ago and have been trying to get them corrected ever since.
There is the looming question as to whether most larger organizations intend to abide by CCPA either because the threat of penalty is insignificant or the value of data mining is too great. As a result, some companies may think it's not worth the trouble, and others may continue to violate privacy laws for their gain.
Security & technology professionals commented that given how upstream and downstream third-party technologies integrate, it is virtually impossible to track consumer opt-out signals. Privacy experts say the GDPR opt-in rules work better than CCPA's opt-out rules and recommend it be mandatory that all consumer-facing websites and downstream services respect the Global Privacy Control.
California Attorney General – Penalty Enforcement Under the CCPA
On August 24, 2022, California Attorney General Rob Bonta announced a settlement under the California Consumer Privacy Act (CCPA), costing Sephora, Inc. $1.2 million in penalties. The complaint stated that Sephora was notified on June 25, 2021, of CCPA violations and had 30 days to cure. However, by July 26, 2021, Sephora had failed to remedy the situation.
The new CPRA rules go into effect in January 2023 when in addition to the AG, the CPPA will have enforcement obligations under CCPA. The 30-day grace period to comply following a violation will cease.
What is the Global Privacy Control (GPC) Signal?
The GPC signal is intended to communicate a Do Not Sell request from a global privacy control, as per CCPA-REGULATIONS §999.315 for that browser or device or, if known, the consumer. Under the GDPR, the GPC signal intends to convey a general request that data controllers limit the sale or sharing of the user's data to other data controllers (GDPR Articles 7 & 21). Over time, the GPC signal may be intended to communicate rights in other jurisdictions.
How to Enable GPC in your browser.
To test your browser's GPC signal, go to https://global-privacy-control.glitch.me/
CCPA Relative to the Federal American Data Privacy and Protection Act (ADPPA)?
Introduced in the Senate in June 2022 and moving along at the blistering speed of the US Federal government, another law to watch is H.R.8152 - American Data Privacy and Protection Act. The bill establishes consumer data protections, including the right to access, correct, and delete personal data. Before engaging in targeted advertising, the bill requires companies to provide individuals with a means to opt-out. Additionally, companies must implement security practices to protect and secure personal data against unauthorized access, and the Federal Trade Commission (FTC) may issue regulations for complying with this requirement.
Critics of the bill say it is not as mature as leading state legislation, including California, Colorado, Virginia, and New York. As a result, President Biden has proposed that ADPPA be enacted as a floor vs. a ceiling so that privacy rights laws can continue to evolve at the state level.
On February 25th, 2022, a day after Russian armed forces invaded Ukraine, the Chairman of the US Senate Intelligence Committee, Senator Mark Warner, wrote a letter to the CEO of Alphabet (Google's parent company). Senator Warner said in his letter:
"I write to encourage your company to assume a heightened posture towards exploitation of your platform by Russia and Russian-linked entities. [...] Unfortunately, your platforms continue to be key vectors for malign actors – notably those affiliated with the Russian government – to spread disinformation and profit from it."
The Truvantis Information Privacy Program
If you are wondering where you stand regarding the CPPA and what you need to comply with the new law, consulting a Truvantis expert is an excellent place to start.
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. In addition, we can help build a solid central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations.
Ready to move forward? Contact Truvantis for more information and to start your pre-audit consultation.
Truvantis is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations and products. We specialize in helping our clients improve their cybersecurity posture by implementing testing, auditing and operating information security programs – balancing budget with risk appetite.