California Privacy Regulation Heats Up: State Official
Prepare for more California privacy activity in coming months, California Privacy Protection Agency Senior Privacy Counsel Lisa Kim said Wednesday. Kim previewed CPPA enforcement, rulemaking and legislative work at a virtual FCBA privacy symposium Wednesday. A growing patchwork of state privacy laws makes it difficult for businesses to create a good consumer experience for making privacy choices, said corporate privacy practitioners during a later panel.
“Much more to come on the enforcement front,” said Kim. The CPPA will start enforcing regulations that litigation with the California Chamber of Commerce held up, she said. The chamber sought California Supreme Court review of a Feb. 9 state appeals court decision allowing enforcement to begin (see 2402210031). But there’s “no indication” whether the high court will take the case, said Kim.
It’s not enough to comply with Europe’s law, the general data protection regulation (GDPR), advised the CPPA counsel: Businesses should carefully read the California Consumer Privacy Act (CCPA) and the now-enforceable agency rules. Pay close attention to regulations on collection and use of personal information; methods for collecting consumer consent, including restrictions on dark patterns; handling of opt-out preference signals; and contract requirements, said Kim.
The CPPA received more than 1,200 complaints through a web portal since it opened in July, said Kim. “We do not represent individuals, but we use the complaints to help inform our enforcement priorities, identify targets, spot trends and as a pipeline for opening new investigations.” The complaints already have “prompted multiple investigations,” including one on connected vehicles (see 2308010014) and others that remain confidential, she said.
And more California privacy rules are coming, said Kim. The CPPA board last week authorized staff to move forward with paperwork needed to launch a rulemaking on automated decision-making and other items. Rulemaking could open in July (see 2403080045). In addition, the agency is working on rules, required by last year’s Delete Act, to develop an accessible way for consumers to delete data that brokers collect on them, she said. This year the agency is pushing for a state bill (AB-3048) that would require web browsers to support global opt-out signals. If it becomes law, that requirement would benefit eight other states that require businesses to honor such signals, said Kim.
California is one of 15 states with sweeping privacy laws. New Hampshire joined the pack last week (see 2403070064) and bills in multiple other states are pending.
Visa seeks to give consumers "informed consent that's clear and concise," but it’s "hard to balance with the ... complex regulatory framework we're dealing with in terms of all the states and how they view consent," said its Associate General Counsel Sabrina Khandwalla on a later panel. "Our efforts to comply with state laws and create privacy notices is creating less transparency” and may confuse consumers, she said. The Visa privacy practitioner gets a “drowning” feeling when a new state law comes out, she said later. “Our approach is really creating a framework for the whole company and then” adopting approaches that deviate.
It helps when different states make laws interoperable, T-Mobile Corporate Counsel Karl Gerner said. On the California privacy rules taking effect, Gerner said the "threat of enforcement is an incentive," but T-Mobile is more motivated on the issue by its relationships with customers.