When California voters created a first-in-the-nation statewide agency to enforce consumer privacy laws in 2020, the ballot initiative they approved included a key date: July 1, 2022.
That was when the California Privacy Protection Agency was due to adopt the rules it will use to meet its enforcement mission. State law entitles residents to know, limit and correct the personal information businesses collect from them through websites, mobile applications and other digital means.
Yet seven months after the deadline set by Proposition 24, the CPPA is still working to complete its rulemaking.
The delay reveals the painstaking and complicated process of implementing an idea signed into law or approved by voters. It also reflects the intense pressure the fledgling agency is facing from technology and other business groups, which contend it is preparing to be too restrictive. It begins enforcement July 1.
There are huge stakes involved — the rules under consideration will determine corporate access to lucrative personal information about people. No other state, nor the federal government, has an agency devoted solely to enforcing privacy laws.
Wherever the rules land, it is possible they will be challenged in court.
“There’s pretty widespread interest and also concern with the process,” said Dylan Hoffman, who oversees advocacy in California for TechNet, an organization that represents major technology and e-commerce companies. Its members include Amazon, Apple, Google and Facebook’s parent company, Meta, according to its website.
In one sign of the interest, the CPPA received more than 150 letters about its proposed regulations over a roughly two-month period last year. The volume explains some of the delay: Staff have had to respond to each of the comments as part of the process. And they show disagreements over what state privacy law even allows the agency to do.
The CPPA’s board was set to meet Friday to consider a major set of rules during a public meeting. Even so, those requirements aren’t expected to be final until April, at the earliest.
Citing the long wait for finished rules, some groups have called for the agency’s enforcement powers to be delayed for a year.
The agency did not make Ashkan Soltani, its executive director since October 2021, available for an on-the-record interview. In an emailed statement, an unidentified spokesperson said the agency was “grateful for the strong public response” and the “many views shared” about its rules.
The set of privacy laws the CPPA will ultimately enforce were approved by the California Legislature in 2018. They gave residents the ability to know what personal data companies are collecting and the right to request its deletion.
Prop. 24 amended the 2018 law and added new rights for residents that were effective last month. Those include the ability to correct inaccurate personal data that a business has about them and to limit how certain information, like Social Security numbers, geolocation information and health data, is used.
The laws target businesses that earn more than $25 million in annual revenue, who buy or sell personal information of at least 100,000 people, or who make at least half of their revenue selling or sharing consumers’ personal information. The new agency has the ability to investigate and fine companies that don’t comply.
After the ballot measure passed, the rights under the new law had to be translated into regulations. The rules the board was set to consider Friday cover 66 pages. They allow, for example, businesses to deny requests to correct information if they believe they are fraudulent or abusive. But they require companies to explain why they did so. Business groups pushed back, contending that could create a security risk by forcing them to reveal sensitive anti-fraud measures.
Agency staff declined to make the change, saying in a response to the concern that businesses don’t have to include compromising information in their responses. The goal was to make sure people knew why their requests were denied, the agency added, in case they were done so improperly.
Beyond submitting comments, lobbyists and other representatives for businesses have tried to meet with CPPA’s staff and its board members. But the requests have been denied or ignored, according to interviews.
“I’d like to have an opportunity for a discussion on how these regulations will be implemented,” said Ben Golombek, a chief of staff for policy at the California Chamber of Commerce.
While the organization has submitted several comments to the agency directly, Golombek said it wanted an “opportunity for real communication for the people that are tasked with implementing these incredibly complex and important laws and regulations.”
He declined to disclose the group’s members, including those most concerned with the agency’s new rules.
Currently, four of the five CPPA board positions are filled. Law professors and privacy advocates, appointed by state political leaders including the governor and attorney general, are serving in the roles.
Hoffman, of TechNet, said in an emailed statement the organization requested meetings with board members and Soltani, the executive director. Soltani declined the request, Hoffman said, and members did not respond.
Amazon, Apple, Google and Meta, along with other companies, did not respond to emails seeking comment.
In its emailed statement, the CPPA spokesperson said the agency has encouraged interested parties to submit feedback in a transparent way.
“As noted, the Agency has benefited from very robust participation by the public in both preliminary and formal rulemaking work, and the record of this input is available to the public.”
One of TechNet’s issues is how the agency interprets the authority granted to it by Prop. 24. The group argues the initiative does not require companies to honor browser settings and other tools people use to automatically tell websites they don’t want their personal information sold or shared.
The agency disagreed, saying it was a “misinterpretation of the law” in a written response.
“We’re not trying to undercut this law,” Hoffman said, “we’re just trying to fulfill its promises.”
At the same time, the agency is also being closely watched by privacy and consumer groups.
Justin Brookman, director of technology policy for Consumer Reports, submitted a letter to the CPPA in November, saying its proposed regulations appeared to have been modified “largely to accommodate businesses who criticized the scope and text” of an earlier version.
One example cited by Brookman were draft rules that made it optional for companies to notify consumers that their request to opt out of sharing personal information was being honored. Without a mandatory notice, he said, people might not know if their requests were recognized.
In an interview, Brookman said even though some of the revisions went “too far,” he was not dismayed by the process.
“While I can criticize their decisions and ask for changes,” he said, “I can still acknowledge their overall body of work has been strong.”
Representatives from privacy groups were also largely positive about the CPPA so far, even if they didn’t agree with all of its proposed rules.
“I really see and appreciate all of the work they’re doing,” said Hayley Tsukayama, a legislative activist at the San Francisco-based Electronic Frontier Foundation. “They’ve sort of had to cross the bridge as they’re building it.”
That said, Tsukayama is eager to see what happens when the agency begins enforcement in July. It will share those duties with the Attorney General’s Office, which had previously enforced state privacy laws.
“If laws don’t have teeth,” she said, “it’s just a bunch of nice words.”
The Association of National Advertisers was one of the groups that asked for the agency to delay enforcement for a year, once the regulations are finalized.
“Companies very much want to take steps towards compliance and do what is right under the law,” Chris Oswald, the group’s head of government relations, said in an emailed statement. “Unfortunately, we do not yet have clarity on what will be required of the business community under the regulations at this stage, and we cannot know for sure until the rules are final.”
The agency has declined to agree to a delay. In a written response to comments asking it to do so, staff said it would cause “greater confusion for consumers and businesses.”
Companies have already been aware of the “general contours” of the proposed rules since at least July of 2022, the response continued. That said, the agency said it may consider the effect the delay has had when determining whether to investigate a business or take action against it.
That consideration did not alleviate concerns.
“We’re not starting at square one but it does take a significant amount of effort to change some of these things,” said Hoffman, of TechNet.
In the meantime, the CPPA’s enforcement team is still being staffed. The agency is recruiting for someone to lead it and more people will be added on once that person has been hired, the spokesperson said in the statement.
Friday’s meeting wasn’t expected to resolve all of the rules the agency is working on. It is in the preliminary stages of coming up with regulations that affect algorithms and other matters. That is expected to be another closely watched process.
©2023 The Sacramento Bee. Distributed by Tribune Content Agency, LLC.
