New agency poised to clarify California privacy law

California has gotten a step closer to setting up a new regulatory agency dedicated solely to protecting consumer privacy. Appointments to the board that will lead the California Privacy Protection Agency include five individuals with deep backgrounds in academia, government service, public policy, and consumer rights. Professor Jennifer M. Urban will Chair the agency, joined by John Christopher Thompson, Angela Sierra, Lydia de la Torre and Vincent Le.

The new agency will likely be highly influential in shaping business practices involving consumers' personal information in the future. Last November, California voters passed a ballot initiative that replaces the current privacy law with the California Privacy Rights Act. Under the CPRA, the new agency will be responsible for adopting regulations implementing the law, investigating and enforcing the statutory requirements, and educating consumers and businesses about their privacy rights and obligations. The statute directs the new agency to complete a rulemaking by July 1, 2022 so that businesses have time to come into compliance before the CPRA takes effect Jan. 1, 2023. Because the CPRA broadly regulates companies doing business in California, the impact of the agency's regulations and enforcement will be far-reaching.

Below we summarize some of the key issues for businesses that will be addressed by the new privacy agency.

• Regulations Clarifying Vendor Requirements. The new agency will specify the circumstances in which vendors can combine personal information received from multiple customers and use it for business purposes on behalf of the business, the vendor, and other customers. The scope of these regulations could impact whether companies will need to update their commercial agreements and standard terms.

• Opt-Out and Access Rights for Automated Decision-making Technologies. California's privacy statute does not specifically regulate automated decision-making technologies, including automated processing of personal information to predict (for example) a person's work performance, economic situation, or health. However, the statute directs the new agency to issue regulations clarifying how the CPRA's opt-out mechanisms and access rights should apply to automated decision-making technologies. With multiple board members having backgrounds in preventing algorithmic bias and discrimination, this topic could become a priority for the new agency.

• Application and Technical Specifications for Opt-Out Mechanisms. The CPRA provides consumers rights to choose whether to have their personal information sold to third parties, such information shared with third parties for certain online advertising activities, or sensitive personal information (such as financial information, government ID numbers, genetic data, certain health information, and precise geolocation) used and disclosed for unexpected purposes. The new agency may adopt regulations that clarify the scope, application, and format of these various opt-out mechanisms and how businesses should respond to these consumer requests.

• Restrictions on Use of "Dark Patterns" to Obtain Consent. Consumer consent using prohibited "dark patterns" is ineffective under the CPRA. The statute defines a "dark pattern" to include "a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice," but authorizes the new agency to further define the term by regulation. Existing law already prohibits a range of dark pattern techniques, including unlawful "bait and switch" practices or failing to disclose material terms. It is not yet clear whether the regulations will be limited to these already illegal practices, or whether the board will try to expand the law to cover additional business practices.

• Proactive Audits by the New Chief Privacy Auditor. An appointment that still needs to be filled is the chief privacy auditor, who will be responsible for conducting proactive audits of industry compliance with the statutory requirements.

• Annual Cybersecurity Audits. Businesses that engage in data processing activities that present a "significant risk" to consumers' privacy or security must perform annual cybersecurity audits. The agency's new regulations will establish a process to ensure that these audits are "thorough and independent," and may clarify the thresholds for when such audits are required. This process could raise questions regarding the costs versus benefits of such assessments and the impact on attorney-client privilege.

• Submission of Risk Assessments. In addition to the cybersecurity audits described above, businesses that engage in data processing activities presenting a significant risk to consumers' privacy or security also must submit risk assessments to the new agency "on a regular basis." Under the statute, these risk assessments consider whether the data processing involves sensitive personal information and weigh the benefits and risks of such processing for the business, consumers, the public, and other stakeholders. The new agency is encouraged to issue a public report summarizing these risk assessments, but businesses are not required to divulge any trade secrets in connection with the assessments.

Another area to watch is the extent to which the new agency coordinates with other state, federal, and international regulators to avoid interpretations of the statute that diverge from privacy laws in other jurisdictions. Virginia recently became the second state in the nation to enact comprehensive privacy legislation, and proposals are under consideration in several other states including, for example, Florida, New York, Oklahoma, and Washington. Earlier this month, U.S. Representative Suzan DelBene proposed a framework for federal privacy legislation, and the European Union, Brazil, and a number of other countries have enacted robust privacy laws. Common themes emerge across these various regulations, including principles of informing consumers when personal information is processed; providing consumers rights over the access, deletion, and correction of their personal information; and implementing good data governance mechanisms. But the broad range of topics on which the new California agency can issue regulations creates some risk that the requirements could become so prescriptive that they diverge from requirements in other jurisdictions. The board members' familiarity with other state, federal, and international privacy and consumer protection laws may help minimize this risk. 