The Insights Association today urged the California Privacy Protection Agency (CPPA) to limit the negative impact of California’s privacy rules on the insights industry.
The California Privacy Rights Act (CPRA), approved via ballot initiative in 2020, will supersede the state’s existing comprehensive privacy law, the California Consumer Privacy Act (CCPA), when CPRA comes into effect on January 1, 2023. The CPPA, which took over regulatory authority for CCPA/CPRA from the state Attorney General on April 21, 2022, is behind schedule in issuing CPRA regulations, but recently released draft rules for comment.
The Insights Association (IA), the leading nonprofit organization representing the insights industry, filed comments with the CPPA today.
Howard Fienberg, IA’s Senior VP Advocacy, observed that, “these recommendations would streamline and improve compliance with a complex privacy law and regulation without diminishing consumer privacy protection. While the Insights Association continues to lobby in DC for a comprehensive federal privacy law, we strive for a California regulatory environment as conducive to insights production as possible.”
Addressing the association’s first two points of concern, Fienberg commented that, “By aligning CPRA with federal legislation, and laws in Colorado, Connecticut and Utah, the CPPA can ensure the continued independent measurement and evaluation of advertising and content that brings transparency and understanding essential to the functioning of much of the modern U.S. economy. Also, by limiting opt-out preference signal adaptation to only larger businesses, the agency will protect the smallest insights companies from overly onerous regulatory requirements.”
IA’s comments urged the agency to:
- “Bring CPRA in line with draft federal privacy legislation and other state laws by adding audience measurement to the list of ‘business purposes’”;
- “Limit the opt-out preference signal requirement to firms that meet one of the first two prongs of the CPRA’s ‘business’ definition.”
- “Limit processing which presents a ‘significant risk’ to consumers’ privacy or security to highly sensitive personal information, such as financial account information;
- “Limit processing which presents a ‘significant risk’ to processing which occurs on a regular basis or a minimum number of times per year”;
- “Limit processing which presents a ‘significant risk’ to processing of at least 100,000 records”;
- “Limit the audit and risk assessment requirement to firms that meet one of the first two prongs of the CPRA’s ‘business’ definition”;
- “Clarify that use in research results and reports of ‘sensitive personal information’ is a ‘reasonably expected’ use of information provided in connection with corresponding surveys and research studies”;
- “Exempt market research from notices of financial incentives”; and
- “Limit the ‘authorized agent’ concept to minors, and elderly or incapacitated individuals.”
Read IA’s full comments to the CPPA on CPRA rulemaking.
(These are a follow-up to comments IA filed November 8, 2021.)