?A new set of proposed regulations in California gives companies some guidance on how they should handle sensitive personal data.
On May 27, the California Consumer Protection Agency released new regulations pertaining to the California Privacy Protection Act. The agency was scheduled to meet on June 8 and likely to publish a notice of proposed rulemaking, followed by a 45-day public comment period before the new regulations are finalized.
“There may be further regulations coming later this year,” said Darcey Groden, a lawyer with Fisher Phillips, based in San Diego. The agency’s board considered a second set of regulations to address annual cybersecurity audits, regular risk assessments, and automated decision-making. This second set of regulations could be published before the process to finalize the current set of proposed regulations is complete, she added.
But don’t wait to take action to ensure that you’re compliant with the recent privacy laws.
“Businesses need to start preparing because the California Privacy Protection Agency has made clear it wants the regulations to give the law real teeth,” Groden said.
Businesses that share or sell personal information must notify consumers beforehand and allow consumers to opt out. Companies must pass these legal obligations down to their service providers and contractors in their contracts.
The state privacy law, passed in 2020, gives consumers the right to tell businesses to not share or sell their personal information. Consumers also have the right to request that a company delete all of their personal information.
Steps To Take
The first step is knowing what sensitive personal information your organization collects from customers and employees. “Businesses should scrutinize what sensitive personal information they have, whether they need it, and make sure their privacy policies and practices ensure adequate security for it,” Groden advised.
Sensitive personal information includes:
- Social Security number.
- Driver’s license or passport number.
- Precise geolocation.
- Account log-in, financial account, debit card or credit card number.
- Racial or ethnic identity.
- Religious affiliation.
- Biometric or genetic information.
- Union membership.
The second step is to update your written privacy policies and notices to customers and employees. Include the right to limit the use of sensitive personal information and the right to correct any inaccurate information.
“You should plan to start early on working with your IT vendors to ensure that you have this buttoned up ahead of 2023,” Groden advised. “It is not enough to have a policy in writing on how long to keep information. You need to work through the process of how you will actually purge stale data on a large scale, as compared to deleting personal information in response to individual consumer requests.”
The proposed regulations prohibit “dark patterns” that are designed to manipulate or subvert consumer choice. Examples of this include:
- Offering options on a website that say “yes” or “ask me later” (rather than “yes” or “no”).
- Defaulting into a choice that is considered less protective of privacy.
- Manipulative language, such as making a consumer click through reasons why opting out of the sale of personal information is a bad choice.
“Dark patterns were already prohibited under the California Privacy Rights Act, and the proposed regulations add that obtaining consumer consent with the use of a dark pattern nullifies the consumer’s consent,” said Ryan Blaney, an attorney with Proskauer in Washington, D.C.
The proposed regulations would allow the agency to audit a business under three scenarios:
- To investigate possible violations of privacy laws.
- If a business’s processing of personal information poses significant risk to consumer privacy or security.
- If the business has a history of noncompliance with the state’s privacy laws or any other privacy protection law.
“If the proposed regulations are adopted as drafted, the agency will have a large base from which it can decide to open an investigation,” Groden said. “Not only will the agency be able to open an investigation based on information from sworn affidavits under penalty from the general public, it will have the power to initiate an investigation based on referrals from other government agencies, private organizations, and even nonsworn or anonymous complaints.”
If a company violates the privacy law, the agency may order the business to stop the violation and pay a fine of $2,500 per violation or $7,500 per intentional violation.
Companies that operate in multiple states need to stay abreast of the various legal changes.
“Five states, including California, have comprehensive data protection laws that are scheduled to go into effect in the near future,” Groden noted. “This is on top of other, more narrowly targeted consumer protection laws on the federal level, in California, and in other states. Noncompliance with them could make a business a target for an audit in California.”
“I do not think California is going to be copied as a model,” said Philip Gordon, an attorney with Littler, based in Denver. “I think other states are going to follow with data protection laws.”
