California Continues to Update and Enforce Privacy Laws

Written by: Brock Wolf, Esq. and Alyssa J. Feliciano, Esq.

California continues to update its privacy policies. Changes and clarifications are constantly being announced, making it imperative for businesses to stay vigilant in their practices. Notably, the California Privacy Protection Agency subcommittee (the “Agency”), which was created under the California Privacy Rights Act (“CPRA”), proposed a framework for rulemaking. Additionally, the California Consumer Privacy Act’s (“CCPA”) definitions of a “sale” and “personal information” were both expanded upon.

I. The CPRA Proposed Framework For Rulemaking Process

The Agency’s framework identified several immediate actions to be taken. The immediate plan of action includes the following:

1. 1. The Agency invited the public to submit comments on the rulemaking framework in late September. The comments were accepted through November 8^th and included a breakdown of topics for individuals to focus their feedback on.
   2. The Agency proposed three rulemaking subcommittees
      • CCPA rules update subcommittee to update existing rules to include CPRA requirements
      • CPRA new rule subcommittee to draft new rules on items not addressed in CCPA rules
      • Rulemaking process subcommittee that will be responsible for rulemaking process
   3. The Agency also plans to identify topics for informational hearings
      • How the new regulations can further protect Californians’ right to privacy
      • Cybersecurity audits and risk assessments
      • Automated decision making
      • Right to correction
      • Opt-out preference signal
      • Sensitive personal information
      • Look-back period and record keeping
      • Definitions
   4. Hire Personnel

II. Definitions of “Sale” and “Personal Information”

A series of enforcement case examples were released by the California Attorney General’s Office, led by Rob Bonta, confirmed that the use of cookies and other tracking methods are considered a “sale” under the CCPA. The companies that received enforcement letters regarding the practice were forced to remove the cookies and trackers from their webpage to comply.

California Governor, Gavin Newsom, also approved new legislation in October that expanded the definition of “personal data” to include genetic data. The legislation defines genetic data as any data, regardless of its format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material, as specified. Businesses must now disclose data breaches to California residents if their genetic data was compromised.