Consumer Reports appreciates the opportunity to provide preliminary comments on the proposed rulemaking under the California Privacy Rights Act (CPRA). We thank the California Privacy Protection Agency (CPPA) for soliciting input to make the California Consumer Privacy Act (CCPA), as amended by Proposition 24, work for consumers.
Privacy laws should protect consumer privacy by default, through strong data minimization that limits data use, collection, sharing, and retention to what is reasonably necessary to provide the service requested by the consumer. But at the very least, opt outs should be workable for consumers. It’s essential that the regulations clarify that businesses are required to honor browser privacy signals, including the Global Privacy Control specifically, as an opt out of sharing and sale. Even with such a requirement in the current CCPA regulations, and guidance from the AG that businesses must honor Global Privacy Control signals as an opt out of sale, many companies have simply disregarded this right. Second, when a consumer opts out, the CPPA must not permit companies to make their personal information available to third parties for a commercial purpose. Otherwise, key rights will not be accessible in practice for consumers.
The rulemaking also provides a prime opportunity to set baseline protections with respect to automated decision-making. Though automated decision-making can have discriminatory effects, it is largely unregulated. We urge the CPPA to adopt key protections with respect to transparency and auditing of the algorithms used in important decisions that affect consumers, and to prohibit uses that lead to egregious harms.
In the document, we outline key recommendations to uphold consumer privacy and advance civil rights, consistent with the CPRA. For the full comments, please see the attached PDF.