CalPrivacy Might Next Tackle Employee Data, Signals, Privacy Policies
The California Privacy Protection Agency is exploring possible rulemakings in the categories of employee data, opt-out preference signals (OOPS), disclosures and notices and reducing friction exercising consumer privacy rights, CalPrivacy staff told the board at its Friday meeting. Unlike with the previous rulemaking package on automated decision-making technology and other subjects, the agency plans to “present more targeted recommendations addressing only one or two policy issues at a time,” said General Counsel Philip Laird.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Unlike other states’ comprehensive privacy laws, the California Consumer Privacy Act (CCPA) covers employees, job applicants and independent contractors. “Over the years, we've received a significant amount of feedback on … how the CCPA applies to people within the work context,” including from the agency’s board, said Lisa Kim, CalPrivacy senior privacy counsel.
Staff plans to explore if there’s “any need for clarification on how the CCPA applies to employees and business practices in the management of employee data, and whether regulations can assist or clarify for businesses how to provide the necessary disclosures to their employees, as well as how to process employees’ data requests” under CCPA, said Kim.
The agency also plans to investigate how to make privacy policies and other types of notices and disclosures clearer and more effective for consumers, said Kim. Questions include: “How can we make notices more effective? What are consumers most interested in knowing? Where do businesses need help in making disclosures? What do consumers find the most confusing about notices?” Also, the agency is looking at whether executive summaries or “model template formats” would help.
A third topic “specifically would explore whether there is a need for any additional regulations to address things like dark patterns or other hurdles” that consumers or their authorized agents “are facing in the exercise of their CCPA rights,” said Kim. Also, it might include reviewing ID verification and authorized-agent procedures, and checking if “businesses are deliberately hiding or making it difficult to find opt-out pages.”
Fourth, Kim said CalPrivacy wants to review OOPS regulations to see if changes are needed in light of new laws like AB-566, which requires all web browsers to support universal opt-out preference signals (see 2510080036), and AB-1043, which will set up age-verification signals for protecting kids. "Staff believes it would be a worthwhile endeavor to review our regulations to see if there's any further need to harmonize signal requirements or provide guidance on how different signals should be processed."
“We would also explore signals that would exercise a consumer's right to limit the use and disclosure of sensitive personal information,” said Kim. “We would also collaborate with other agencies and jurisdictions to determine whether age assurance or other … state signals should be considered opt-out preferences under our law."
Board member Alastair Mactaggart pushed back on regulating employee data. He cautioned the agency not to “step too far afield into the employee-employer relationship,” given that it’s a continuing "topic for the legislature."
Chairperson Jennifer Urban agreed the agency should work with the legislature, but not to avoid the issue altogether. “We have heard a tremendous amount about the privacy implications” of employer relations with workers and contractors, she said. “It is clear to me that not only does our law cover this data … but that it is profoundly important for the privacy of natural persons [residing] in California.” Therefore, she said, it’s “actually incumbent upon us to explore the issue pretty carefully, given that it is under our jurisdiction."
Board member Drew Liebert particularly praised the item on disclosures and notices. "The one kind of consensus" that Liebert said he has "found over the years is that whether you're a business or a consumer, no one thinks this process is working well at all." He said that a 60,000-word privacy policy is far too tough to read. "It's not for the consumers, and it's not for any of us when we sign up for these products. It's a false system of privacy.”
CalPrivacy Board member Jill Hamer asked how staff is thinking about prioritizing the four potential buckets of rulemaking.
“The priority is all four,” replied Laird. However, he noted that a topic like employee data might take more time than reviewing signal requirements.
Possible new rules will be for businesses’ benefit, too, added the general counsel. “We have them at the front of our mind, as well, and thinking about what is not working in our regulations” and what’s creating “a regulatory sort of nightmare for them.”