On Friday, the newly created California Privacy Protection Agency (CPPA) issued its first proposed regulations under the California Privacy Rights Act (CPRA).
The proposed rules have drawn criticism for requiring companies to treat browser-based “Do Not Track” signals as consumers asserting their opt-out rights. This rule came as a surprise to many observers because, as passed, the statute would have given companies the option to honor or ignore these signals. The draft would additionally require businesses to serve their disclosures in “eye-catching” colors, another area not explicitly prescribed by the CPRA statute.
Perhaps to balance the scales, the proposal also includes a new term of art, “disproportionate effort,” describing situations in which the burden of responding to a consumer request would “significantly outweigh” the consumer’s benefit. A business claiming this exception must give the consumer a detailed explanation that includes enough facts to provide a “meaningful understanding” as to why the business cannot honor the consumer’s request. This exception may also insulate companies from consumers who might abuse the request process. A business could likely claim “disproportionate effort,” for example, if a group of protestors coordinated to overwhelm it with requests.
It seems clear that the CPPA aims to make privacy-by-default the easiest option for California companies. Companies that collect and sell minimal personal information from consumers and respect “Do Not Track” signals will find it easy to comply with these proposed regulations. On the other hand, companies that wish to engage in data brokering would need to jump through significantly more regulatory hurdles.
The CPPA will likely address other key CPRA aspects, such as dark patterns, algorithmic decision making, and child privacy in future proposals. Click here to view the full proposal.