News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Top-10 operational impacts of the CPRA: Part 9 — The scope of the anticipated regulations Related reading: Top-10 operational impacts of the CPRA: Part 8 — Rights to delete, no retaliation and children’s privacy

rss_feed

""

Businesses and practitioners are busy evaluating how the California Privacy Rights Act differs from the California Consumer Privacy Act and what impact the CPRA will have on compliance obligations. Even with this analysis, there remains a big unknown — the significant regulations anticipated by the CPRA. The broad scope of this rulemaking is likely to further shape interpretation of the CPRA and impact compliance.

Section 1798.185 is the CPRA “Regulations” provision. It is one of a few provisions that became operative on the CPRA’s Dec. 16, 2020, effective date, replacing its CCPA counterpart. As discussed in the first part of this series, the attorney general initially has rulemaking authority, but the new California Privacy Protection Agency will assume rulemaking responsibilities by July 1, 2021, or within six months of the CPPA providing notice to the attorney general that it is ready to do so. Final CPRA regulations are to be adopted by July 1, 2022, a year ahead of the CPRA’s enforcement.

Section 1798.185 identifies 22 areas requiring regulation, including a catch-all category of “harmonizing the regulations governing opt-out mechanisms, notices to consumers, and other operational mechanisms,” and this list is not exhaustive. Businesses subject to the CPRA will want to be familiar with these anticipated regulations and follow the rulemaking process as they plan their compliance strategies. Some of the key rulemaking topics are discussed below.

Audits and risk assessments

One of the CPRA's most impactful provisions, 1798.185(a)(15), involves issuing regulations requiring businesses to conduct annual cybersecurity audits and "regular" risk assessments if the business's "processing of consumers' personal information presents significant risk to consumers' privacy or security." In determining whether the processing "may result in significant risk to the security of personal information," the CPRA identifies two factors to be considered: (1) the size and complexity of the business; and (2) the nature and scope of processing activities. 

While the specific requirements for audits and risk assessments will be determined by future regulations, the CPRA does provide some guidance. Businesses obligated to perform an audit will need to define the audit's scope and "establish[] a process to ensure that audits are thorough and independent." Risk assessments are to be submitted to the CPPA and need to include whether the processing includes sensitive personal information. They also need to identify and weigh the benefits against the potential risks of the processing, "with the goal of restricting or prohibiting the processing if the risks to [the] privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public."

The CPRA's risk assessment requirement is similar to the EU General Data Protection Regulation. Article 35 mandates a data protection impact assessment be carried out in consultation with the data protection officer for processing "likely to result in a high risk," but unlike the CPRA, it does not require DPIAs to be filed with a regulatory authority. While Article 35 identifies particular circumstances where DPIAs are necessary, it also calls for guidance regarding what kind of processing is subject to the DPIA requirement. Both the European Data Protection Board and individual countries, like the U.K. Information Commissioner's Office, have issued such guidance. Whether the CPPA or the CPRA regulations themselves will provide similar direction about the type of processing subject to the audit and risk assessment requirements is an issue for businesses to watch.

Opting out and limiting the use of personal information

The CPRA contemplates additional regulations regarding the process for consumers to opt out of the sale or sharing of personal information and restrict the use of sensitive personal information. Opt-out rights and obligations already are addressed by both current CCPA regulations and the proposed additional regulations. CPRA Section1798.185(a)(4) amends its CCPA counterpart to include the CPRA’s new concepts of sharing and sensitive personal information, directing “rules and procedures” be established to “facilitate and govern” consumer requests to opt-out or limit the use of sensitive information “to ensure that consumers have the ability to exercise their choices without undue burden and to prevent business[es] from engaging in deceptive or harassing conduct,” including retaliation. Like the CCPA, this provision also calls for regulations “to govern business compliance” with opt-out requests and for the development of a “recognizable and uniform opt-out logo or button” (an issue addressed in the proposed modifications to Section 999.306). 

The CPRA also calls for regulations regarding the opt-out preference signal referenced in Section 1798.135(b)(1). Businesses that allow consumers to opt out of the sale and sharing of personal information and limit the use of their sensitive personal information “through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism” do not have to provide the links or otherwise comply with the requirements in Section 1798.135(a). Section 1798.185(a)(19) requires regulations to “define the requirements and technical specifications” for an opt-out preference signal, identifying specific issues to be addressed, including ensuring the signal is “consumer-friendly, clearly, described, and easy to use by an average consumer.” This provision also contemplates a regulation establishing technical specifications for an opt-out preference signal that allows the consumer or their parent/guardian to specify they are under 13 years of age or at least 13 and less than 16 years of age.

In addition to addressing the technical specifications for an opt-out preference signal, CPRA Section 1798.185(a)(20) requires regulations “to govern how a business that has elected to comply with [1798.135(b)] responds ... to the signal” and gives consumers the opportunity to later “consent to the sale or sharing of their personal information or the use and disclosure of their sensitive personal information.” Again, the CPRA gives specific directives for these regulations, including that they should “strive to promote competition and consumer choice and be technology neutral” and make sure “any link to a web page or its supporting content” allowing the consumer to consent to opt-in does not use dark patterns.

Rulemaking regarding this opt-out preference signal is likely to generate significant attention. While the CPRA appears to give businesses the choice about whether to respect opt-out preference signals, CCPA regulation Section 999.315 (adopted in August 2020 after the filing of the CPRA ballot initiative) requires businesses that collect information from consumers online to “treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism ... as a valid request” to opt-out “for that browser or device, or, if known, for the consumer.” California Attorney General Xavier Becerra made headlines in late January when he appeared to endorse the Global Privacy Control opt-out tool as meeting CCPA requirements. Making business obligations clear with respect to the opt-out process will presumably be a rulemaking priority.

Automated decision-making technology

Article 22 of the GDPR gives data subjects “the right not to be subject to a decision based solely on automated processing, including profiling ....”  While the text of the CPRA does not include a similar right, it does provide for rulemaking on this issue. Section 1798.185(a)(16) requires regulations “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling.” The provision includes mandating businesses “include meaningful information about the logic involved in those decision making processes, as well as a description of the likely outcome of the process with respect to the consumer” in response to access requests.

Consumer requests              

Some of the regulations deal with the consumer request process. Section 1798.185(a)(8) provides for regulations concerning how often and when a consumer can request a correction. It includes developing standards regarding a business’s response, how accuracy concerns can be resolved, fraud prevention measures, and a consumer’s right “to provide a written addendum to the business” if the request to correct is rejected.

Section 1798.185(a)(9) relates to the standard identified in 1798.130(a)(2)(B) allowing businesses not to provide information beyond the 12-month period in response to a verifiable consumer request if it deems the request “impossible or would involve a disproportionate effort.”

Definitions

The CPRA identifies the need for rulemaking regarding certain definitions, including:

  • “Intentionally interacts,” to maximize consumer privacy.
  • “Precise geolocation,” considering “if the size defined is not sufficient to protect consumer privacy in sparsely populated areas or when the personal information is used for normal operational purposes, including billing.”
  • “Dark pattern.”
  • “Specific pieces of information obtained from a consumer,” “with the goal of maximizing a consumer’s right to access relevant personal information while minimizing the delivery of information to a consumer that would not be useful ... including system log information and other technical data.”

'Business purposes'

The term “business purposes” also will be subject to rulemaking, including regulations related to the ability of businesses, service providers and contractors to use consumers’ personal information, establishing when service providers and contractors can combine personal information from different sources, and identifying when service providers and contractors may use personal information received pursuant to a written contract with a business for their own business purposes.

CPPA audit authority

One of the functions of the CPPA is to appoint a chief privacy auditor “to conduct audits of businesses to ensure compliance” pursuant to future regulations. These regulations will “define the scope and process” for the CPPA’s audit authority, establish criteria for determining who should be audited, and “protect consumers’ personal information from disclosure to an auditor in the absence of a court order, warrant, or subpoena.”

Conclusion

As businesses consider their compliance obligations under the CPRA, they will need to keep in mind the anticipated regulations and what impact they may have operationally. Procedurally, the rulemaking process for the CCPA provides a sense of what to expect in the months to come. We will be monitoring the CPRA rulemaking process and providing updates as they occur.

Photo by Paul Hanaoka on Unsplash

'Top-10 operational impacts of the CPRA'

This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act, including how it amends the current rights and obligations established by the CCPA.

Click to view

'California Privacy Law, Fourth Edition'

“California Privacy Law,” now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.

Print version | Digital version


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Cathy Cosgrove Nonmember Contributor
Tags
Marketing/Retail
U.S.
Enforcement
Privacy Law
Westin Research Center
Comments

If you want to comment on this post, you need to login.

Related Stories
'Top-10 operational impacts of the CPRA'

This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act, including how it amends the current rights and obligations established by the CCPA.

Click to view

'California Privacy Law, Fourth Edition'

“California Privacy Law,” now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.

Print version | Digital version

Related Stories
Tags
Marketing/Retail
U.S.
Enforcement
Privacy Law
Westin Research Center
Recent Comments