*EMERGENCY DISPATCH* - California Privacy Updates (7/18)

Welcome to the second ever??Emergency Edition?? of The Patchwork Dispatch, bringing you the latest in U.S. state privacy law. On Friday July 14th, the California Privacy Protection Agency (CPPA) hosted a board meeting that provided significant insight into forthcoming regulation, enforcement, and legislation in the Golden State. Here are the key takeaways that you need to know:

1. Proposed Rulemaking Language on AI

The Board’s New Rules Subcommittee floated key considerations and potential language for future CCPA regulations governing cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT).

Of particular interest, the draft language on ADMT diverges significantly from comparable state and global privacy laws (see slides 17 & 23). The subcommittee appears to be exploring the creation of a right to opt-out of ADMT that is not bound to ‘solely automated’ or ‘final’ decisions, but that encompasses any computational process that uses personal information “as whole or part of a system to make or execute a decision or facilitate human decision making” (language modeled in part on the OSTP’s [nonstatutory] AI Bill of Rights).?

Furthermore, rather than use the common ‘legal or similarly significant effects’ standard for the types of decisions subject to consumer rights and protections, the subcommittee is considering five distinct thresholds for ADMT access and opt-out rights. These include the right to opt-out when a business uses ADMT “to monitor or surveil” employees or students; uses ADMT to “track the behavior, location, movements, or actions of consumers in publicly accessible places;” and processes the personal information of consumers under age of 16 in the use of ADMT.?

This novel approach will raise a variety of practical questions that the Board will need to address. For starters, a literal reading of the draft definition of ADMT suggests that consumers will have the right to obtain many products and services based on decisions that are made without the use of essentially any data processing by computers - an obvious impracticality. Furthermore, the introduction of new, undefined terms such as "track", "monitor", and "surveil" that likely overlap with existing rules on data collection (and each other) will also create complications. As just one example, as drafted the Board appears to be seeking to grant students the right to opt-out of test proctoring and anti-plagiarism systems.

2. Endorsing Legislation

The Board voted 3-0 to endorse several bills currently pending in the California legislature (Board Member Mactaggart was absent from the meeting and a replacement has yet to be named for former Board Member Thompson). These bills include:

• AB 947: To expand the CCPA’s definition of “sensitive personal information” to include information revealing citizenship or immigration status.
• AB 1194: Clarifying that certain exemptions from the CCPA’s protections do not apply to personal information regarding contraception, pregnancy care, and perinatal care.
• AB 1546: Extending the Attorney General’s statute of limitations to begin enforcement of a CCPA violation from 1 to 5 years (matching the CCPA’s statute of limitations for administrative actions).
• SB 362: Which would amend California’s Data Broker Registry law to transfer authority from The California Department of Justice to the CPPA and direct the Agency to establish a deletion mechanism that allows consumers to make a single request that all registered data brokers delete their information.

3. Enforcement Updates and Priorities:

Michael Macko, Deputy Director of Enforcement, delivered comments responding to the Sacramento Superior Court’s recent holding in CalChamber v. CCPA that California may not enforce CCPA regulations until a year after their finalization. Macko stressed that the holding provides businesses with “no vacation” from enforcement because the underlying statutory text of the CPRA amendments (in addition to the original CCPA of 2018 and its amendments) remain fully enforceable. Macko then laid out three priority areas for enforcement:

1. Privacy notices and policies - these were described as a “gateway issue” that is not onerous, not new, and that is explicit within the law.
2. Right to delete - Macko noted that this right has existed for a long time pursuant to the CCPA of 2018 in contrast to the right to correct that was introduced in the CPRA amendments.
3. Implementation of consumer requests (including the right to opt-out of sale) - with a focus on what barriers, if any, businesses are introducing to the exercise of rights.

Separately, the meeting debuted a new online Consumer Complaint Form that allows members of the public to submit both sworn and unsworn complaints about possible violations of the CCPA. Since 'soft launching' on July 6th, the system has already received 13 complaints from members of the public.

4. California Children’s Data Protection Working Group Update

The Board received a report explaining that appointments to the California Age-Appropriate Design Code Act's Children’s Data Protection Working Group were delayed due to statutory ambiguity as to whether the Working Group was supposed to exist under the auspices of the California Attorney General’s Office or the California Privacy Protection Agency.

This issue was resolved with the enactment of AB 127 last week, which clarifies that the Working Group will exist within the AG’s Office. AB 127 further removed one of the CPPA’s two appointees to the Work Group and delayed the due date for the Working Group’s first recommendation report to the state legislature to July 1, 2024.

Note that this is all assuming that the AADC survives pending NetChoice litigation regarding the law's constitutionality. A first court hearing is scheduled for July 27, so stay tuned for updates in a future Dispatch.

5. California AG Enforcement Letters on Employee Data

Surprise! The California Attorney General's Office once again made enforcement news *during* a California Privacy Protection Agency Board meeting (lest anyone forget that both entities are empowered to enforce the CCPA).?

This time, the AG’s Office announced a new investigative sweep, sending inquiry letters to large California employers requesting information on their CCPA compliance with respect to the personal information of employees and job applicants.

While the drafters of the California Consumer Privacy Act likely did not intend for their law to apply to employee and job applicant data, the California legislature was unable to come to an agreement that would further postpone the CCPA’s statutory applicability to these categories of information by the law’s January 1st effective date.?

This action is notable because treatment of employee data is not one of the enforcement priorities that the CPPA's enforcement division announced at the Board meeting (see above). The Agency has also previously identified regulations to clarify the CCPA's application to employee data as a potential future rulemaking topic and one that would be "Hard," requiring "substantial research and pre-rulemaking activities".

As always, thanks for stopping by. If you're looking to learn more about the new wave of (non-comprehensive) state privacy laws, I am joining an ABA Panel on the topic on July 26th (free for ABA members, $25 for others).

Keir Lamont is the Director for U.S. Legislation at the?Future of Privacy Forum