The California Privacy Protection Agency Board held a public meeting on June 8 in Oakland, CA to further the CPRA rulemaking process. The agenda included clarifying section 4, Incompatible Activities Statement, and discussing proposed actions to Implement, Interpret, and Make Specific the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
More specifically, proposals suggest adding and removing specific definitions, restrictions on collecting and using personal information, additions regarding disclosure requirements and methods for submitting CCPA requests and obtaining consent, and specific subtractions and amendments to privacy policy provisions. A particular example of a request for change regards the definition of dark patterns and compliant design principles.
The board accepted public comments, which again echoed the widespread concern over the looming compliance deadline of Jan 1, 2023. While the board has acknowledged they will miss the July 1, 2022, deadline for the end of the rulemaking process, they have not announced an extension nor provided transparency into the process for deciding on an extension.
Members of the board acknowledged the issue and took it as an action item to share what they can at the next meeting regarding a possible extension to the Jan 1, 2023 compliance enforcement deadline.
Further comments stated concerns that the cost of compliance will be too high for small businesses and too complex for many medium to large organizations. Therefore, requests were made that the board sponsor tools and technology training to help companies that do not have in-house tools or knowledge figure out what to do to be compliant.
As the complexity of the legal landscape continues to grow, so does public scrutiny of organizations' privacy practices. For example, consider the recent case of DuckDuckGo CEO & Founder Gabriel Weinberg. If you are familiar with DDG, you know that the company stakes its reputation on touting that the DuckDuckGo search engine and its 'mobile browser' protect consumers' privacy better than other popular search engines.
@DuckDuckGo tweeted in March 2021 after Google had revealed how much personal information they collect in Chrome. In the tweet, DDG accused Google of spying on users and displayed a flow chart showing the difference between the data collected by the Chrome browser and that collected by the DuckDuckGo mobile browser.
The tweet went on to say, "DuckDuckGo Privacy Browser has been the second most downloaded mobile browser in the US (after Chrome) and, as you might expect, doesn't collect any data that are linked to you, making it simple to get the privacy you deserve online." Until this story broke, many people were unaware that DuckDuckGo had a mobile browser.
Last month, privacy watchdogs busted DuckDuckGo for having a deal with Microsoft, preventing them from blocking ad trackers from Microsoft properties. Weinberg replied, "Unfortunately, our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties."
Weinberg, who goes by the user handle yegg, has since spent considerable effort defending DuckDuckGo on Hacker News. According to yegg in late May, "Overall our app is multi-pronged privacy protection in one package (private search, web protection, HTTPS upgrading, email protection, app tracking protection for Android, and more to come), being careful (and putting in a lot of effort) to not break things while still offering protections -- an "easy button" for privacy. And we constantly work to improve its capabilities and will continue to do so, including in this case. For example, we've recently been adding bespoke third-party protections for Google and Facebook, like Google AMP/Topics/FLEDGE protection and Facebook embedded content protection."
His detractors claimed that this situation "…undermines trust in a product that claims to be the bastion of privacy." Following his statement, yegg is accused of being a "salesman" and spouting "marketing mumbo jumbo." In addition, some questioned Microsoft's ethics and suggested that privacy practices founded on corporate motivations are impractical. Whether DuckDuckGo suffers long-term from this incident remains to be seen, but certainly, they have taken a hit to brand reputation and user trust.
While the CPRA timeline specifics are in flux, the overall compliance requirements remain. Experts advise organizations to prepare ahead of time for a smooth transition and minimal disruption. If you are wondering where you stand regarding the CPPA and what you need to comply with the new law, consulting a Truvantis expert is an excellent place to start.
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. In addition, we can help build a solid central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations to which businesses may be subjected.
Ready to move forward? Contact Truvantis for more information and to start your pre-audit consultation.
Truvantis is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations and products. We specialize in helping our customers improve their cybersecurity posture by implementing testing, auditing and operating information security programs.