Proposed regulations clarify data privacy rules in California

A proposed new set of regulations in California gives businesses guidance on how they should handle sensitive personal data.

On May 27, the California Consumer Protection Agency released new regulations relating to the California Privacy Protection Act. The agency was scheduled to meet on June 8 and will likely issue a notice of proposed rulemaking, followed by a 45-day public comment period before the new regulations are finalized.

“There may be more regulations coming later this year,” said Darcey Groden, attorney at San Diego-based Fisher Phillips. The agency’s board considered a second set of regulations to address annual cybersecurity audits, regular risk assessments and automated decision-making. This second set of regulations could be released before the process of finalizing the current set of proposed regulations is complete, she added.

But don’t wait to take steps to make sure you’re compliant with recent privacy laws.

“Companies need to start preparing because the California Privacy Agency has made it clear that they want the regulations to give the law some real teeth,” Groden said.

Companies that share or sell personal information must notify consumers in advance and allow them to opt out. Companies must pass on these legal obligations to their service providers and subcontractors in their contracts.

The state privacy law, passed in 2020, gives consumers the right to tell companies not to share or sell their personal information. Consumers also have the right to ask a company to delete all of their personal information.

Steps to follow

The first step is to know what sensitive personal information your organization collects from customers and employees. “Companies should take a close look at the sensitive personal information they have, if they need it, and ensure that their privacy policies and practices provide adequate security,” Groden advised.

Sensitive personal information includes:

  • Social Security number.
  • Driver’s license or passport number.
  • Precise geolocation.
  • Account login, financial account, debit or credit card number.
  • Racial or ethnic identity.
  • religious affiliation.
  • Biometric or genetic information.
  • Union membership.

The second step is to update your written privacy policies and notices to customers and employees. Include the right to limit the use of sensitive personal information and the right to correct any inaccurate information.

“You should plan to start working with your IT vendors early to make sure this is done before 2023,” Groden advised. “It’s not enough to have a written policy on how long information should be retained. You need to work on the process of deleting outdated data on a large scale, versus deleting personal information in response to individual consumer requests. .”

The proposed regulations prohibit “dark schemes” designed to manipulate or subvert consumer choice. Here are some examples :

  • Offer options on a website that say “yes” or “ask me later” (rather than “yes” or “no”).
  • Opt by default for a choice considered less protective of privacy.
  • Manipulative language, such as getting a consumer to click on why opting out of selling personal information is a bad choice.

“Dark patterns were already prohibited under the California Privacy Rights Act, and the proposed regulations add that obtaining consumer consent with the use of a dark pattern voids consumer consent,” said Ryan Blaney, lawyer with Proskauer in Washington, DC.

The proposed regulations would allow the agency to verify a business under three scenarios:

  • To investigate possible violations of privacy laws.
  • If a company’s processing of personal information poses a significant risk to consumer privacy or security.
  • Whether the company has a history of non-compliance with state privacy laws or any other privacy laws.

“If the proposed regulations pass as written, the agency will have a broad basis from which to decide whether to initiate an investigation,” Groden said. “Not only will the agency be able to initiate an investigation based on information from sworn affidavits from the general public, but it will have the authority to initiate an investigation based on referrals from other government agencies, private organizations, and even unsworn or anonymous complaints.”

If a company violates privacy law, the agency can order the company to stop the violation and pay a fine of $2,500 per violation or $7,500 per intentional violation.

Businesses that operate in multiple states need to keep up to date with various legal changes.

“Five states, including California, have comprehensive data protection laws that are expected to go into effect in the near future,” Groden noted. “This is in addition to other more narrowly focused consumer protection laws at the federal level, in California and in other states. Failure to comply with these could make a company the target of an audit. in California.”

“I don’t think California is going to be copied as a model,” said Philip Gordon, attorney at Denver-based Littler. “I think other states will follow with data protection laws.”

Comments are closed.