But, the proposed rule that would require "collection, use, retention, and/or sharing" to be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed" seems to require opt-in consent for many collections of sensitive personal information and sales of personal information. The CCPA/CPRA is an opt-out law consent is only required for the sale or sharing of personal information related to consumers under age 16 or a secondary use not disclosed at the time of collection. Confusion as to whether the law is opt-out or opt-in.
Some illustrative examples suggest – but do not explicitly state – that expectations would be determined by the nature of the products and services the business provides the consumer, meaning that disclosing a data processing practice in a privacy policy would not be enough to create an expectation if the processing is not essential to the provision of the product and service. Businesses would be restricted to using personal information in a manner "consistent with what an average consumer would expect," but the proposed rules shed little light on how average consumer expectations should be determined. Rules of the game driven by consumers' expectations.Further, businesses are likely to experience tension between this principle and the complex requirements related to website disclosures and pop-ups discussed below. This would create significant leeway for the Agency to bring actions against businesses based on subjective judgments about their websites. The draft rules push a detailed vision as to how a consumer should experience the process of making privacy choices, including requiring that the process be "easy to understand," prohibiting "dark patterns," requiring "symmetry in choice" and prohibiting manipulative language. Heavy focus on consumer-friendly presentation of privacy options.On first read, however, some themes and likely operational challenges emerge: It will take substantial time for business and legal teams to fully digest the implications of this lengthy draft and begin to strategize on a plan to operationalize concepts while still leaving flexibility for inevitable changes before the regulations become final. They also do not elaborate on the new requirement for a business to make disclosures in its privacy policy about its practices related to retention of personal information or other topics set out in the grant of rulemaking authority, including cybersecurity audits, privacy risk assessments and automated decision-making. The draft regulations do not set forth any particular rules related to handling of personal information relating to or privacy requests from employees or individuals who interact with a business in a business capacity. 1, 2023, businesses should begin big-picture planning now.
Because the rules already are unlikely to be finalized in advance of the CPRA's effective date of Jan. However, some of the more complicated proposed obligations – particularly around opting-out of sales and sharing – will require significant preparation, planning and budget to implement. The Agency is required to conduct a formal notice and comment process on the proposed regulations, creating a strong probability of future changes.
#Reasons final draft 7 would stop working full
The 66-page draft includes seven full pages of detailed requirements for obtaining and implementing consumer direction regarding the sale and sharing of personal information, but it does not cover a number of privacy hot topics mentioned in the grant of rulemaking authority to the Agency. The newly formed California Privacy Protection Agency (the Agency) quietly released a preliminary draft of its proposed regulations on May 27, 2022, implementing the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).