The California Privacy Protection Agency (“CPPA”) held two public hearings last week on its proposed regulations.
Here are some key takeaways:
- Enforcement date debate. Multiple commenters requested that the CPPA delay the enforcement date by at least one year after the regulations are finalized, i.e. January 1st, 2024 or later. However, other speakers pushed back on this request.
- Estimates of regulatory costs. At both hearings, commenters expressed concern that the CPPA’s estimates of regulatory costs to businesses were not realistic.
- Global opt-out preference signals. Commenters also addressed the draft regulations’ mandate that businesses honor global opt-out preference signals. Some supported the mandate, while others emphasized that the mandate is inconsistent with the CPRA’s statutory text. See, e.g., CPRA § 1798.135(b)(3) (providing that “a business may elect whether to” post links or comply with opt-out preference signals). Others called for more clarity from the CPPA on the issue, such as by compiling a registry of global opt-out preference signals that businesses are required to honor.
- Sensitive personal information. The second hearing heard comments endorsing the restricted use and disclosure of sensitive information, emphasizing the importance of the CPRA’s data minimization standards.
- Dark patterns. Finally, some commenters supported the regulations’ language on dark patterns.