The California Privacy Rights Act (CPRA) evolution continues with lively public debate in May, where much of the focus is on data collection and automated decision-making. In addition, the California Privacy Protection Agency (CPPA) held pre-rulemaking stakeholder sessions via Zoom May 4-6, where several stakeholders from both sides of the debate were present. Consumer advocates and diverse industry representatives discussed several hot topics about how the new law may impact organizations and consumers for better or worse.
It's less than a year before the CPRA will go into effect. By January 1, 2023, businesses must comply with regulations or risk hefty fines. Regulators, advocates, and interest groups – including big tech companies – were present. We have a few highlights from the meeting below.
Prominent Stakeholders in Attendance
As CPRA affects large tech companies, prominent stakeholders are in the conversation. Google, for example, was present and had several concerns. The first three hours of CPRA's focus was on data collection and automated decision making, with Google and other large tech companies weighing in. Automotive stakeholders were also interested in data collection regulations and how they might impact the development of self-driving vehicles and other customer service features.
While large organizations urged lawmakers not to overreach, consumer advocates and other privacy interest groups expressed concern with specific decision-making algorithms targeting consumers, violating consumer privacy, or discriminating. (e.g., financial profiling for loan applications).
Dark Patterns and User Influence
The design of an application can influence choice, and issues with these interfaces are especially a concern in social media apps. Dark patterns occur when application designers create prominent options to influence users or persuade or trick consumers into choosing options that might not be in their best interest.
Consumer advocates expressed concern about how dark patterns influence minors and marginalized groups. CPRA conversations also focused on the user's right to opt-out and the businesses' default "opt-in" options. Consumer groups had concerns that users should have readily available alternatives to opt-out of services without complex or confusing procedures or, better yet, opt-out should be the default option. Advocates cited cases where applications circumvented privacy regulations by using dark patterns to convince consumers to consent to data collections.
Automated Decision-Making Risk Assessments
Several topics focused on data collection and automated decision-making technology, where large technology groups had a stake in the discussions. Organizations use artificial intelligence and machine learning to use consumer data in algorithms, data science, and automated decision-making. However, without proper risk assessment, data can be used to make biased decisions, and it's a constant struggle for data scientists to avoid adding bias to their models, which influences discriminatory outcomes. Bias can be intentional or unintentional, but it can go unnoticed if assessments aren't performed on output, algorithms, and data models.
CPRA requires annual assessments of data and a review of sensitive information that could be used to introduce bias and safety risks to consumers. However, Tech giants urged regulators not to overreach and only focus on fully automated systems that would significantly affect consumers. Consumer advocates challenged this request saying that CPRA did not have enough reach to control bias and discrimination in artificial intelligence and decision-making algorithms.
The main concerns during this discussion revolved around unintended ramifications, and speakers urged lawmakers to regulate automated decisions that could affect consumers financially. However, Tech giants do not want regulations that would force them to divulge their algorithms' intellectual property and trade secrets.
Alignment with Other Privacy Laws
CCPA regulations were created for companies doing business with California consumers, but several other states have existing or evolving regulations that overlap California's privacy laws. Connecticut's Act Concerning Personal Data Privacy and Online Monitoring is the most recent, and Virginia Consumer Data Protection Law (VCDPA) is still evolving. Utah and Colorado also have state data privacy regulations. Businesses are concerned over the cost and complexity of complying with multiple international, federal, state, and industry-specific laws.
Several stakeholders urged regulators to align with existing laws, including the European Union's GDPR Article 22, referencing the EU's Digital Services Act and other artificial intelligence regulations.
Consumer Rights to Opt-Out
Recent changes to opt-out choices for consumers will extend to brokers. A broker, by CPRA definition, is an entity that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Consumers can delete or correct personal information with companies they directly interact with. New regulations will extend to third parties (e.g., marketing people and advertisers) who might sell data to their customers.
Conversations from one side of the issue claim that limiting data collection by forcing default opt-out options would inhibit their ability to serve consumers. The other side wanted better regulations to protect consumer privacy and the right to control their data.
Private Right of Action
A noticeable difference between CPRA and other regulations is their limited Private Right of Action. Consumers are enabled to bring lawsuits against businesses after a data breach. This May meeting indicates that the Private Right of Action will extend to guaranteed damages for data disclosure after simple technical issues. So instead of limitations on data breaches only, consumers could have rights to monetary compensation when data is exposed after technical violations even if no harm was done.
Cybersecurity Audits and Risk Assessments
To ensure data protection and privacy, CPRA will require yearly risk assessments and audits of how data is stored and managed. The new CPRA regulations extend to employee data, so assessments must cover internal and external data storage and management. Data audits and risk assessments ensure that any business procedures and decisions based on user data will be compliant with new CPRA regulations.
Truvantis Information Privacy Program
While the CPRA timeline specifics are in flux, the overall compliance requirements remain. As a result, experts advise organizations to prepare ahead of time for a smooth transition and minimal disruption.
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. In addition, we can help build a solid central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations.
Ready to move forward? Contact Truvantis for more information.