California is a major center of new privacy law and regulation, creating opportunities for internet safety advocates to help design policies that will ripple out well beyond the state’s borders. Their Privacy Rights Act (CPRA), passed by ballot proposition in 2020, created the California Privacy Protection Agency (CPPA), which seems to be getting closer to initiating its first formal rulemaking process. We have monitored and involved ourselves in this new agency since its inception, and Lisa LeVasseur (our Executive Director) and Noreen Whysel (Director of Validation Research) shared their expertise on product audits and dark patterns, respectively, in a recent pre-rulemaking CPPA Stakeholder Session (May 5-6).
We have included a summary of the CPPA’s rulemaking process to date at the end of this post.
Our Input During the Stakeholder Sessions
Our key recommendations included:
- Focusing on the harmful outcomes of these interfaces by calling them what they are: “Harmful UI Patterns,” rather than “Dark Patterns.”
- Recognizing that Harmful UI Patterns exist along the spectrum of the entire technology relationship, beginning before an account or other user relationship is established until well after it is terminated.
- Adopting a framework for identifying Harmful UI Patterns at each stage of a technology relationship. For example, regulation should include or reference additional examples of Harmful UI Patterns and develop a framework for when they are likely to occur.
- Advocating for Opt-Out to be the default condition, rather than a choice. A respectful default state is one in which no data is collected unless and until a user explicitly allows for data collection.
- Recommendations on clarifying the definitions of “Consent” and “Intentional Interaction.”
- Providing clarity on two types of audits: (1) auditing organizations and their practices and (2) auditing the behavior of technology.
- Addressing scaling issues and challenges. Auditing is too large a job for a single entity.
- Advocating for authorized network of auditing entities to be completely independent and divorced from the industry. There must be transparency in qualifying criteria, selection, and ongoing performance of authorized auditors.
Click here to read our full statements.
Currently, we speculate that the preliminary rulemaking activities have concluded since no additional activities or meetings have been announced. We look forward to receiving notice of the CPPA’s initial draft of regulations soon and submitting our public comments within the 45-day comment period.
Summary of the CPPA’s Rulemaking Process To Date
- In June of 2021, the CPPA board started meeting, addressing administrative issues, hiring personnel, and creating subcommittees.
- In September of 2021, the CPPA initiated their pre-rulemaking activities soliciting preliminary written comments on their proposed rulemaking.
- In January of 2022, the CPPA gave notice to the office of administrative law of their intended rulemaking calendar.
- The initial timeline for adopting final regulations was set for July 1, 2022 by the CPRA but now the timeline for adopting final regulations has been pushed out to Q3 or Q4.
- In February of 2022, Executive Director Ashkan Soltani acknowledged that the new rulemaking timeline puts the CPPA behind schedule, but it will allow the Agency to balance staffing needs and undertake substantial preliminary information gathering to support regulations. Mr. Soltani then expressed the possibility that the CPPA may introduce major regulations.
- In March of 2022, the CPPA continued their preliminary information gathering activities by holding informational hearings. Academics and government officials were selected to speak at these Informational Hearings to provide the CPPA board and staff members with background information on various topics potentially relevant to rulemaking.
- In May of 2022, the CPPA continued their preliminary information gathering activities by holding Stakeholder Sessions providing the public with the opportunity to speak on their experience and expertise in topics relevant to the upcoming rulemaking.
- We signed up to participate in these Stakeholder Sessions and provided our input on Audits and Dark Patterns.