California Privacy Agency Receives Comments from FPF Regarding Proposed Regulations

California Privacy Agency Receives Comments from FPF Regarding Proposed Regulations

The Future of Privacy Forum (FPF) has submitted comments to the California Privacy Protection Agency (CPPA), offering recommendations to enhance transparency, specificity, and compliance mechanisms in cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) under the California Consumer Privacy Act (CCPA).

In their comments, FPF addresses opportunities to bring clarity to the proposed regulations, particularly in the areas of cybersecurity audits, risk assessments, and ADMT. The FPF's recommendations aim to better protect consumer data and rights, ensuring businesses not only comply with CCPA mandates but also build trust through clear, enforceable, and effective privacy governance.

One key recommendation from FPF is the need for clear, standardized frameworks for conducting cybersecurity audits and risk assessments that align with CCPA requirements. This includes defining the scope of audits, identifying appropriate risk factors, and ensuring the adequacy of security measures to prevent data breaches and unauthorized access. FPF also suggests regular, comprehensive risk assessments should be integrated into organisational privacy programs to proactively address vulnerabilities.

Another significant recommendation pertains to ADMT, given the growing use of automated decisions in consumer data processing. FPF advises the CPPA to clarify rules regarding transparency and consumer rights in this context. This could involve recommending clear disclosures about the use of automated decision-making systems, ensuring consumers have meaningful rights to access, opt out, or contest decisions affecting them, and requiring accountability measures such as impact assessments.

The FPF also proposes practical implementation measures, such as user-friendly opt-out mechanisms, well-trained staff to handle consumer inquiries, and regular audits to maintain compliance and trust.

FPF's comments also suggest considering carve-outs for narrowly used, low-risk AI systems to avoid unintended impacts. Additionally, FPF proposes providing flexibility for privacy notices in virtual and augmented reality environments.

The FPF further recommends that the CPPA provide additional clarity on opt-out rights under the CCPA and automated decision-making technology. They also suggest weighing benefits from processing activities against risks to individuals' privacy as mitigated by safeguards in risk assessments.

The comments were submitted by FPF on their website on February 19 and concern draft regulations submitted by the CPPA governing cybersecurity audits, risk assessments, ADMT access, and opt-out rights under the CCPA. FPF's comments also aim to clarify the intended scope of the definition "significant decision," the "substantially facilitate" standard for in-scope ADMT systems, and whether requiring businesses to consider ADMT systems "capable" of certain purposes is too broad.

In summary, the Future of Privacy Forum's comments to the California Privacy Protection Agency focus on enhancing transparency, specificity, and compliance mechanisms to better protect consumer data and rights under the California Consumer Privacy Act. Their recommendations emphasise the importance of clear, standardised frameworks for conducting cybersecurity audits and risk assessments, specific guidance on automated decision-making technology, strengthening verification and transparency, and practical implementation measures.

1. The Future of Privacy Forum (FPF) has proposed the creation of clear, standardized frameworks for cybersecurity audits and risk assessments, eligible under the California Consumer Privacy Act (CCPA).
2. In their comments, FPF suggests that businesses conducting automated decision-making technology (ADMT) should provide clear disclosures about its use and offer consumers meaningful rights to access, opt out, or contest decisions affecting them.
3. The FPF also recommends the integration of regular, comprehensive risk assessments into organizational privacy programs to proactively address vulnerabilities.
4. On the website, FPF submitted comments on February 19 in response to the draft regulations by the CPPA governing cybersecurity audits, risk assessments, ADMT access, and opt-out rights under the CCPA.
5. Another recommendation from FPF includes providing flexibility for privacy notices in virtual and augmented reality environments and considering carve-outs for narrowly used, low-risk AI systems.
6. The FPF encourages the CPPA to provide additional clarity on opt-out rights under the CCPA, the intended scope of the definition "significant decision," the "substantially facilitate" standard for in-scope ADMT systems, and whether requiring businesses to consider ADMT systems "capable" of certain purposes is too broad.

Read also: