E Point Perfect – Interesting and beneficial content
Law \ Legal

What Should We Do About the Draft CPRA Regulations?: Collection and Notice


The California Privacy Protection Agency (CPPA) recently released the draft proposed CCPA Regulations and draft initial statement of reasons. Importantly, these are draft regulations that are likely to be subject to extensive public comment and modification before they become final. At the June 8 meeting, the board moved to approve the draft regulatory text to begin the formal rule making process and public comment period.

These draft regulations redline the existing CCPA regulations. Though some provisions were largely unedited, they could be modified in forthcoming updates. This includes notices regarding financial incentives, rules for consumers under the age of 16, non-discrimination practices, and requirements for verifying requests. Requirements around cybersecurity audits, risk assessments, and automated decision-making technology were not covered in this draft.

While the draft regulations do not address all topics on which the CPRA required the CPPA to adopt regulations, the draft does include guidance on certain topics of interest such as data processing agreements and the opt-out preference signal. In this series we examine some of the key takeaways for companies.

Our focus in today’s post is on collection and notice. Under the proposed regulations, a business’s collection, use, retention and sharing of personal information should be consistent with what a consumer would expect when the information was collected. Any uses that are unrelated or incompatible with the original purpose requires explicit consent from the consumer. The draft provides four illustrative examples on this point.

For privacy policies, the regulations largely incorporate the statutory content requirements, and then adds new requirements. Where more than one business controls the collection of a consumer’s personal information, both the first-party business and any third-party businesses would have to provide a notice at collection. The draft provides several examples on this point.

Putting It Into Practice: This draft is likely to undergo many updates during the public notice and comment period. Whether they will be finalized before the CPRA comes into effect on January 1, 2023 is not clear. In light of this uncertainty, companies would be well served to look at the key developments to begin to develop approaches for addressing compliance.


Source link

Related posts

NLRB Leaves Lumps of Coal In Employers’ Holiday Gift Bags

What next for EU derived employment rights in the UK?

Most Likely Victims of Scams? It’s Not Who You Think: Cybersecurity Trends

Affordable Housing in Denver’s Capitol Hill Neighborhood

FSB publishes 2022 annual report on promoting global financial stability

Someone recently asked me to list foodborne illness outbreaks that I think people remember