June 28, 2022

Volume XII, Number 179

Advertisement
Advertisement

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

California Privacy Protection Agency Holds Informational Sessions and Announces Stakeholder Meetings

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) held via video conference two public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”). During the sessions, members of the California Attorney General’s Office and various privacy and cybersecurity experts led discussions on topics such as the sale and sharing of personal information, dark patterns, data privacy impact assessments, cybersecurity audits and automated decision-making. The CPPA Board has not at this time responded to the views expressed by the experts at the meetings.

The goal of the first meeting on March 29 was to provide an overview of personal information and the CPRA. Among other highlights, Supervising Deputy Attorney General Stacey Schesser advocated for the retention of the current California Consumer Privacy Act regulations (“CCPA Regulations”) regarding user-enabled global privacy controls. The existing CCPA Regulations provide that businesses must treat user-enabled global privacy controls as a valid request to opt out of the sale of personal information. Relatedly, Deputy Attorney General Lisa Kim posited that the CPRA’s right to opt out of sharing for cross-context behavioral advertising applies to real-time bidding in advertising auctions and recommended that businesses give consumers the right to opt-out of these auctions.

Separately, Jennifer King, Privacy and Data Policy Fellow at Stanford’s Institute for Human-Centered Artificial Intelligence, discussed using new terminology with respect to dark patterns and suggested that toggle switches for “CCPA Do Not Sell” requests may be considered a dark pattern (i.e., a tactic used by a company to trick consumers into making certain choices). Lior J. Strahilevitz, professor at the University of Chicago Law School, summarized recent studies of dark patterns, which found mild dark patterns significantly increase users’ acceptance of a program and are particularly coercive among less educated populations.

The second meeting on March 30 focused on risk assessments and consumer rights with respect to automated decision-making under the CPRA. UCLA Professor Safiya Noble highlighted the importance of addressing structural racism when developing rules and technologies related to automated decision making. During a later presentation, Andrew Selbst, professor at UCLA School of Law, advocated for transparency in automated decision-making among developers, consumers and regulators.

Gwendal LeGrand, who serves as Head of Activity for Enforcement Support and Coordination for the European Data Protection Board, explained the requirements for privacy risk assessments under the EU General Data Protection Regulation, which may serve as a helpful case study for privacy risk assessments soon to be required by the CPRA. Under the CPRA and its forthcoming regulations, businesses will need to regularly submit to the CPPA a risk assessment regarding their processing of personal information. The assessment must consider whether the processing involves sensitive personal information, and must identify and weigh the risks and benefits of the processing to the business, the consumer, the public and other stakeholders. The CPPA also recently announced additional meetings with stakeholders via teleconference beginning May 4, 2022. Stakeholders can sign up to participate in the meetings by completing the CPPA’s Stakeholder Session Request Form by April 22, 2022.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 105
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement