FPF Files Comments on CPRA Initial Rulemaking
Yesterday, the Future of Privacy Forum filed comments with the California Privacy Protection Agency on the initial rulemaking under the California Privacy Rights Act (CPRA). The CPRA, which comes into effect in 2023, provides protections for sensitive personal information, expands the California Consumer Privacy Act’s opt-out rights, and requires businesses to provide mechanisms for individuals to access, correct, and delete data.
FPF offered resources and recommendations regarding automated decisionmaking, sensitive personal information, global opt-out signals, and de-identification. Among our comments, we suggest that regulations under the CPRA should:
- Establish guidelines for automated decisionmaking (ADM) that produces “legal or similarly significant effects.”
- Provide that information about “automated decisionmaking” follow NIST interpretability guidelines, and be meaningful and reasonably understandable to the average consumer.
- Clarify a range of potential use cases for health and wellness data, by providing a principled, exemplar list of categories that are in or out of scope. In many cases, such distinctions will be based on context and reasonable use.
- Ensure opportunities for socially beneficial commercial research using sensitive personal information.
- Clarify the role of global opt-out signals in the context of today’s labyrinth of existing permission frameworks, including in authenticated and non-authenticated platforms.
- Establish an open process for authoritative approval of new global opt-out signals that meet the technical specifications of the Agency over time.
- Seek further input from de-identification experts and researchers to clarify key implementation issues for “deidentified data,” including the role of technical, legal, and administrative controls, and Privacy Enhancing Technologies (PETs).
To read FPF’s full comments, click here.