CPRA rulemaking

California’s Data Privacy Agency CPRA Rulemaking

In November 2020, California voters approved Proposition 24, also known as the California Privacy Rights Act (“CPRA”). The CPRA expands the consumer data privacy protections present in the more widely-known California Consumer Privacy Act (“CCPA”). Among other measures, the CPRA created the California Privacy Protection Agency (the “Agency”), which is tasked with CPRA rulemaking. The Agency recently put out a call for comments on particular topics that affect businesses that collect California resident consumer data.

What topics are in the CPRA rulemaking notice?

The Agency’s notice contains several topics of interest concerning its initial rulemaking efforts, notably those that are not covered by existing CCPA regulations. Of particular note are rules surrounding automated decision making, Agency privacy audits, and responses to specific consumer requests for data information.

Automated decision making technology is also referred to as “profiling” in the proposed rulemaking. It includes software that can evaluate a consumer based on his or her data, including work, income, health, interests, and location-related information. The Agency is fashioning rules to define: the scope of activities which constitute “profiling” or “automated decision making;” when consumers may obtain information about a business’s use of such technology (and how businesses should facilitate those requests); what information about automated decision making qualifies as providing “meaningful information about the logic” of the process; and the scope of a consumer’s right to opt-out of being part of an organization’s automated decision making. With so many businesses dependent on using consumer data to target ads, the ultimate rules promulgated by the Agency should significantly impact the nature of this type of targeting in the future.

The CPRA also gives the Agency the right to audit a business’s CPRA compliance. The Agency has requested comment on how to define the scope of its audit authority, procedures and criteria for exercising this authority and choosing which businesses to audit, and how to protect consumers’ private data from disclosure during audit. Businesses that depend on collection, use, and sharing of consumer data should pay extra attention to this particular set of rules. Finding a balance between an “any one at any time” and a “wait until there is a problem” approach will dictate how robust the Agency’s auditing function will prove to be.

Finally, the Agency is crafting rules on information that businesses must provide to consumers upon request. Like the CCPA today, the CPRA requires that businesses disclose specific pieces of information to consumers for the 12-month period preceding the request. The CPRA also contemplates requiring businesses to provide information beyond the 12-month period unless it is impossible or “requires disproportionate effort.” By and through its rulemaking, the Agency plans to define what “impossible” and “disproportionate effort” mean.

Why does the Agency’s CPRA rulemaking matter to my business?

California has been at the forefront of consumer data privacy for years, most notably with the CCPA’s passage in 2018. Now, a new state agency will solidify and expand upon these consumer data protections. If your business relies on consumer data, then these new CPRA rules will be critical. For example: Does your company rely on algorithms or AI to help drive marketing campaigns? Then the automated decision making rules will affect you. Does your business have consumer data privacy records that go back for each consumer more than 12 months? Then, the auditing and information response rules matter to you.

Hire experienced privacy attorneys.

Almost every business relies on consumer data in some way to drive its marketing strategy. Consumer data privacy regulations are quite nuanced and failure to comply may result in state investigations, fines, or even lawsuits. Today, with so many businesses relying on consumer data and AI, staying CPRA compliant could not be more important. Keeping track of all of the regulatory changes and making sure that your data collection and privacy policies adjust is a full-time occupation in itself. But you can avoid much of this time, money, and headache by hiring experienced data privacy attorneys.

The attorneys at Klein Moynihan Turco have years of experience helping businesses of all sizes create and maintain robust consumer data collection, use, and sharing policies. Implementing strong privacy policies will help your business stay CCPA and CPRA compliant so that you can avoid most state-level investigations. If you need assistance with updating your consumer data collection practices and procedures or defending against a state Attorney General investigation, please email us at info@kleinmoynihan.com or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice nor is it a substitute for seeking legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Photo by Mo Idris on Unsplash

Similar Blog Posts:

How Does the Colorado Privacy Law Compare to the CCPA?

California Attorney General Announces New CCPA Changes

How Does the CPRA Compare to the GDPR? Ask a CPRA Lawyer


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

data CIPA law Swigert law consumer protection data on cumputer screen

Swigart Law Group CIPA Demands

Readers of this blog likely know about the wave of consumer privacy litigation directed at online companies’ collection of consumer data. A litany of these

Read More »