Today the California Privacy Protection Agency (CPPA) held a board meeting covering a robust agenda. Below are our top takeaways from the meeting:
Enforcement:
Michael Macko, Deputy Director, Enforcement Division for the CPPA, provided a substantive update on CPPA enforcement.
Investigations underway:
Mr. Macko confirmed his team has been busy behind the scenes on CCPA enforcement, noting that the team is currently engaged in "double digit" investigations as well as a small amount of litigation. He said enforcement actions take 18+ months on average.
Takeaway: To date, there have been three public enforcement actions under the CCPA, all of which have been brought by the California AG's Office (not the CPPA). We expect public enforcement announcements from the CPPA in the coming months.
Enforcement priorities:
Mr. Macko reiterated the enforcement priorities for his team. To date, his team has focused on businesses:
- With non-compliant privacy notices and policies.
- That fail to honor the right to delete.
- With non-compliant implementation of consumer requests.
Mr. Macko then identified four new enforcement priorities for his team. His team is now also focused on businesses that:
- Fail to recognize opt-out requests unless a consumer provides verification.
- Sell or share personal information without a proper opt-out mechanism.
- Use dark patterns to prevent consumers from exercising their rights.
- Violate the law in a way that affects vulnerable populations and groups, including commonly recognized protected classes (e.g, children) and nonobvious communities. Notably, Mr. Macko cited the ongoing FTC v. Kochava litigation, which involves data revealing "people's visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities."
Takeaway: None of these enforcement priorities should come as a surprise. Opt-out rights and consumer requests obligations continue to be top priorities for regulators. And the most recent CCPA enforcement action involved children and data minimization. Businesses should pay close attention to these enforcement priorities.
Enforcement advisories:
Mr. Macko once again emphasized the CPPA's ability to issue enforcement advisories, such as the data minimization advisory from April 2024 (which we blogged about here). He noted that, although enforcement advisories are not legal interpretations, they serve to highlight issues the enforcement divisions have noticed and "place the regulated community on alert." According to Mr. Macko, ignoring an enforcement advisory can establish a business's lack of intent to comply with California law and can affect the amount of a fine in the event of an enforcement action.
Takeaway: Enforcement advisories provide insight into enforcement priorities. Businesses should carefully review enforcement advisories, especially given how strongly Mr. Macko indicated his division will treat the issues they highlight.
Consumer complaints:
Per Mr. Macko, the CPPA received over 2,000 consumer complaints last year, all of which were reviewed by enforcement staff and some of which formed the basis of investigations. The most common consumer complaints involved the right to delete, the collection, use, storing, or disclosure of personal information, and the opt-out of sale or sharing. The CPPA has also received complaints involving the right to correct, children's privacy, financial incentives, and loyalty programs.
Takeaway: Regulatory investigations often start in response to consumer complaints. Businesses should review their compliance around these issues.
Business cooperation:
Mr. Macko stated that the way a business responds to an investigation can impact the outcome. Timely and good faith cooperation and communication will facilitate a working, rather than adversarial, relationship between business and regulator and may result in reduced punishment for a business alleged to have violated California privacy law.
Takeaway: This position aligns with our experience with California regulators. Demonstrable good faith compliance efforts go a long way.
CCPA Regulations:
A significant portion of the board meeting related to new CCPA regulations.
Proposed rulemaking package:
Prior to the meeting, the CPPA released a proposed rulemaking package. This rulemaking package is essentially the existing CCPA regulations overlaid with the language proposed by staff over the past year for automated decisionmaking technology (ADMT), risk assessments, cybersecurity audits, insurance, and other updates. There are some minor changes to the language previously proposed by staff (such as new defined terms related to consumer rights to access and opt-out of ADMT), but ultimately the package mirrors what we saw earlier this year.
Takeaway: There is nothing surprising here. For our prior analysis of the proposed ADMT obligations (which are still relevant today), see our blog here.
No vote to advance:
The board decided not to bring a vote to advance the proposed rulemaking package. The board's cited reason for not advancing the package was that staff had not completed the required economic impact assessment. The board was concerned that without the economic analysis, the board could not fully evaluate the implications of the rulemaking package. The board will reconvene at a meeting in September to discuss the rulemaking package, and the economic impact assessment should be ready by that time.
Takeaway: While the economic impact assessment may have been the cited reason for the rulemaking package not advancing, there was also an underlying divide between board members as to whether they felt the rulemaking package was ready to move forward. Board members likely would not have been aligned had a vote taken place today.
ADMT and risk assessments:
The board spent substantial time discussing the extent to which risk assessments should be required for ADMTs. Board member Alastair MacTaggart, in particular, voiced concern about the current language, noting that the regulations may inadvertently implicate a greater number of technologies than anticipated due to the broad definitions of AI and ADMT. This concern led to a discussion among board members around the scope of the regulations and possible delay in the rulemaking process. Staff is expected to make some changes to address the board's concerns.
Takeaway: I agree with Mr. MacTaggart that key parts of the rulemaking package are ambiguous. However, given that staff and board members have voiced that they do not want to further delay the rulemaking process, we expect board members will vote at the next meeting in September to move forward with formal rulemaking.
Insurance:
The board discussed the potential insurance regulations, and how they will likely be delayed given that there is a model insurance code pending in the California legislature that may affect this portion of the regulations.
Takeaway: The insurance regulations will likely be finalized after other language in this package.
Estimated timeframe:
The next meeting where the board can discuss the proposed rulemaking package will be held in September 2024. If the board approves formal rulemaking at that meeting, the CPPA will publish a notice of proposed action, which starts a 45 day public comment period. The CPPA must then respond to each comment submitted, which will take time. If the CPPA makes substantial changes to the rulemaking package, it must provide a 15 day public comment period. Again, the CPPA must respond to each comment submitted. There may be multiple 15 day public comment periods if the board makes further substantial changes. After this process, if the board approves a final rulemaking package, the CPPA will transmit the package to OAL for review. OAL then has 30 days to conduct a review, approve the package, and file with the Secretary of State. The regulations become effective based on the date filed with the Secretary of State.
Takeaway: Rulemaking is a lengthy process. Given that the CPPA will not take a vote of formal rulemaking until September 2024, we expect the earliest the CCPA Regs would take effect is Q2 2025. That is later than our original estimate of Q1 2025.
Coordination with other Jurisdictions:
The CPPA discussed coordination with other jurisdictions. Ashkan Soltani, Executive Director for the CPPA, discussed the CPPA's partnership and cooperation with international data protection authorities and organizations, including the French data protection authority (CNIL), the Organization for Economic Cooperation and Development, and the Dubai International Financial Centre. Mr. Macko noted that the enforcement team has looked to CNIL for guidance on building out the enforcement division. Near the end of the meeting, the board directed staff to communicate with the European Commission and explore a potential adequacy determination under the EU GDPR.
Takeaway: The CPPA is clearly looking to take on a global role with privacy compliance. Could we see joint enforcement between California and French data protection authorities?
Legislative update:
The board discussed several bills under considerations in the California Legislature, supporting some while taking a wait and see approach for others. In particular, the board discussed amendments to AB 3048, which, if passed, would require all browsers to support opt-out preference signals.
Takeaway: Privacy professional expect the opt-out preference signal bill to pass. Requiring browsers (like Safari and Chrome) to support opt-out preference signals could considerably impact the ability of businesses to monetize data, especially in connection with targeted advertising.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.