The California Privacy Protection Agency (“CPPA”) has been active since the start of the year.  In this blog post we summarize some key activities of the CPPA to date in 2024, including:

  • On April 2, 2024, the CPPA Enforcement Division issued its inaugural advisory, emphasizing the importance of data minimization.  (Read more about the enforcement advisory below.)
  • In March 2024, the CPPA’s March Board Meeting included several notable developments, including:
    • Draft proposed regulations on risk assessments and automated decision-making technology. Draft updates to existing CCPA Regulations, including updates to the definition of sensitive personal information and requirements relating to verifying and denying consumer requests. A summary of the CPPA’s enforcement priorities for 2024, which include privacy notices, right to delete issues, and the processing of consumer requests.
    • A report on the number of complaints received by the CPPA since July 2023.

(Read more about the March 2024 Board Meeting below.)

  • On February 9, 2024, the CPPA won its appeal of a lower court ruling that delayed for one year the enforcement of the updated CCPA Regulations, implemented pursuant to the California Privacy Rights Act of 2020.   
  • In January 2024, the CPPA launched https://privacy.ca.gov, a new online resource on California privacy rights for consumers.

In 2024, the CPPA has also weighed in on proposed federal and state privacy legislation, issuing a statement heavily critical of the federal American Privacy Rights Act legislation, and strongly supporting California’s AB 3048, which would expand business requirements regarding privacy preference and opt out signals.

CPPA Enforcement Advisory on Data Minimization

On April 2, 2024, the CPPA issued its inaugural enforcement advisory under the California Consumer Privacy Act (“CCPA”) which focused on the need to apply data minimization principles across its processing activities and its processing of consumer privacy requests, emphasizing:

Data minimization is a foundational principle in the CCPA. Businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers’ personal information.

The CPPA also observed that:

[C]ertain businesses are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.

As one of many core principles of the CCPA, data minimization requires businesses to restrict the processing of personal information to that which is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”[1]

Regulations issued pursuant to the CCPA expand on this principle, stating the necessary and proportionate assessment should be based on the following:

  1. The minimum personal information that is necessary to achieve the purpose identified, as disclosed to the consumer;
  2. The possible negative impacts on consumers posed by the business’s collection or processing of personal information; and
  3. Additional safeguards used by the business to address the possible negative impacts on consumers.[2]

Data Minimization in Verifying Consumer Requests. When responding to consumer requests, the CCPA requires businesses to verify that the person making a request to delete, correct, or know is the consumer about whom the business has collected personal information.

The CCPA prohibits businesses from requiring a consumer to verify their identity to make a request to opt-out of the sale/sharing of personal information or to limit use and disclosure of sensitive personal information; however, the business may ask the consumer for information necessary to complete the request.

The CCPA regulations provide businesses with guidance in determining the method by which the business will verify the consumer’s identity:

  1. Whenever feasible, match the identifying information provided by the consumer to the consumer’s personal information the business already maintains, or use a third-party identity verification service;
  2. Avoid collecting certain types of personal information (such as Social Security number, driver’s license number, financial account numbers, or unique biometric data), unless necessary for the purpose of verifying the consumer; and
  3. Consider the following factors, including (i) the type, sensitivity, and value of the personal information collected and maintained about the consumer; (ii) the risk of harm to the consumer; (iii) the likelihood that fraudulent or malicious actors would seek the personal information; (iv) whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated; (v) the manner in which the business interacts with the consumer, and (vi) available technology for verification.[3]

Businesses must generally avoid requesting additional information from the consumer for verification purposes; however, to the extent the business cannot verify the consumer’s identity, the business may request additional information which must only be used for verifying the consumer’s identity, security, or fraud-prevention. The business must delete any new personal information collected for verification purposes as soon as practical after processing the consumer’s request, subject to the CCPA’s record-keeping requirements.

Questions to Consider When Responding to Consumer Requests. The advisory includes illustrative scenarios on the application of the data minimization principle to CCPA requests to opt-out of the sale/sharing of personal information and requests to delete personal information.  The advisory also provides a list of questions for businesses to consider when processing consumer requests:

  1. What is the minimum personal information that is necessary to achieve this purpose?
  2. We already have certain personal information from this consumer. Do we need to ask for more personal information than we already have?
  3. What are the possible negative impacts posed if we collect or use the personal information in this manner?
  4. Are there additional safeguards we could put in place to address the possible negative impacts?

Businesses should keep the above questions in mind when determining how to verify and process consumer requests.

For more information about these developments, contact the authors of this blog post, your DLA relationship Partner, or any member of DLA’s Data, Privacy and Cybersecurity team.

Takeaways from CPPA March 2024 Board Meeting: Enforcement Priorities and Revised Regulations on the Horizon

On March 8, 2024, the CPPA held a public meeting to discuss, among other things, its enforcement priorities and proposed regulations on risk assessments and automated decisionmaking technology (“ADMT”). This article summaries the key takeaways from the meeting and highlights from the new regulations on the horizon in California.

Enforcement Priorities. During the meeting, Michael Macko the Deputy Director for the Enforcement Division presented on enforcement updates and priorities. The presentation reported the CPPA received 1,208 complaints between July 6, 2023, and February 22, 2024. It may come as no surprise to privacy officers and compliance managers that the most common categories of complaints include right to delete and right to opt-out of sale issues. 

The CPPA reported that its upcoming enforcement priorities will be privacy notices, right to delete issues, and implementation of consumer requests.[4]

ADMT and Risk Assessment Regulations. As we recently reported, in late 2023, the CPPA released its initial draft regulations for ADMT and risk assessments. During the March 8, 2023 meeting, the Board was presented with an updated draft of the ADMT and risk assessment regulations and voted to progress these proposed regulations to formal rulemaking. It is important to note that the regulations are discussion drafts that are still in the preliminary rulemaking phase. Staff will begin preparing the required paperwork to initiate formal rulemaking based on the Board’s vote. During the meeting, CPPA General Counsel, Philip Laird, clarified that the Agency intends to do more public engagement this spring and summer for additional feedback on the draft ADMT and risk assessment regulations. On April 24, 2024, the CPPA announced three stakeholder sessions to take place this May. More information about the sessions and how you can attend is available on the CPPA website. Additional modifications may be made to the draft regulations based on feedback from the Board and the public throughout this process.

The following are notable updates to draft ADMT and risk assessment requirements in these new proposed draft regulations:

  • Revised Definition of ADMT. The CPPA has revised the definition of AMDT to mean “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” For purposes of this definition, the CPPA clarified that to “substantially facilitate human decisionmaking” means using the output of the technology as a key factor in a human’s decisionmaking. This includes, for example, using AMDT to generate a score about a consumer that the human reviewer uses as a primary factor to make a significant decision about them.
  • ADMT Exclusions. The CPPA has clarified that ADMT does not include the following technologies, provided these technologies do not execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking: web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam and robocall-filtering, spellchecking, calculators, databases, spreadsheets, or similar technologies.
  • Revised Definition of Profiling. The CPPA has expanded the definition of profiling to include automated processing of personal information to analyze or predict an individual’s intelligence, ability, aptitude, mental health and predispositions.
  • New Trigger for Notice, Opt-Out and Access. The CPPA has revised the triggers for pre-use notice, opt-out, and access requirements by adding the use of ADMT for “profiling a consumer for behavioral advertising” as a trigger.
  • Updated Pre-Use Notice Requirements for ADMT. The CPPA has updated the pre-use notice requirements to streamline the information that a business must provide, and to allow for greater flexibility in how the business presents the information. The proposed revisions also include tailoring pre-notice requirements to specific uses of ADMT and requiring that the business disclose that they cannot retaliate against consumers.
  • Opt-Out Exceptions for ADMT. Under the proposed regulations, businesses would not be required to provide a consumer with the ability to opt-out of a business’s use of ADMT for a significant decision concerning the consumer if the business provides consumers with the ability to appeal to a human decisionmaker (the “human appeal exception”). To qualify for the human appeal exception, the business must satisfy certain requirements, including but not limited to, designating a qualified human reviewer who must consider relevant information, clearly describing how consumers can submit an appeal, and enabling the consumer to provide information for the human reviewer to consider. The proposed regulations also include an “evaluation exception” where a business does not need to provide a consumer with the ability to opt-out (subject to certain conditions) for purposes of admission, acceptance, or hiring decisions, allocation/assignment of work and compensation decisions, and work or educational profiling. Businesses would also not be required to provide a consumer with the ability to opt-out if the business’s use of the ADMT is necessary for security, fraud prevention, or safety purposes.
  • Revised Risk Assessment Thresholds. The CPPA has revised the risk assessment thresholds to clarify that risk assessments are required when the business (1) sells or shares personal information; (2) processes sensitive personal information (including the personal information of consumers that the business has actual knowledge are less than 16 years of age); (3) uses ADMT for a significant decision or “extensive profiling” (i.e., work or educational profiling, public profiling, or profiling a consumer for behavioral advertising); or (4) processes personal information to train ADMT or artificial intelligence that is capable of being used for a significant decision, to establish identity, for physical or biological profiling, for generating deepfakes, or for operating generative models.
  • Revised Risk Assessment Requirements. The CPPA’s proposed revisions include clarifying which operational elements must be identified in a risk assessment, which negative impacts to a consumers’ privacy a business may consider, and which safeguards a business must identify for ADMT to ensure the ADMT works as intended and does not discriminate.
  • Revised Risk Assessment Submission Requirements. The CPPA has streamlined what must be included in an abridged risk assessment and further clarified exemptions to the risk assessment submission requirements. For example, a business is not required to submit a risk assessment if the business has previously conducted and submitted to the CPPA an abridged risk assessment for a given processing activity, and there were no material changes to that processing during a subsequent submission period (however, the business must still submit a certification of compliance to the Agency).

Draft Updates to Existing CCPA Regulations. In addition to the initial draft regulations for ADMT and risk assessments, the CPPA also discussed revisions to the pre-existing CCPA regulations. Similar to the Risk Assessment and ADMT regulations discussed above, formal rulemaking proceedings are still pending for these proposed amendments, which include the following notable updates:

  • Revised Definition of Sensitive Personal Information. The CPPA proposed revising the definition of sensitive personal information to include “[p]ersonal information of consumers that the business has actual knowledge are less than 16 years of age.” The proposed revisions further clarify that businesses that willfully disregard the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
  • Denying Consumer Requests. Under the revised regulations, if the business denies a consumer’s request to know, correct, delete, opt-out of the sale/sharing of personal information, or limit use and disclosure of sensitive personal information, the business must, among other things, inform the consumer that they can file a complaint with the Agency and the Attorney General and provide links to the complaint forms available on their respective websites.
  • Verification of Consumer Requests. Under the revised regulations, businesses would be required to match identifying information provided by the consumer to the personal information of the consumer already maintained by the business before requesting additional information from the consumer (emphasis added).
  • Service Providers and Contractors. The CPPA proposed adding a requirement that any retention, use, or disclosure of personal information by service providers or contractors pursuant to its written contract with a business must be “reasonably necessary and proportionate” for the purposes stated in the contract.

For more information about these developments, contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Security team.

[1] Civil Code § 1798.100(c)

[2] 11 CCR § 7002(d)

[3] 11 CCR § 7060(c)

[4] See the CPPA Enforcement Update & Priorities presentation available at https://cppa.ca.gov/meetings/materials/20240308_item6_enforcement_update.pdf.