EPIC, Peer Organizations Urge California Privacy Agency to Establish Strong Data Protection Regulations

EPIC and three peer organizations urged the California Privacy Protection Agency on Monday to implement strong, privacy-protective regulations under the state’s new data protection law. Approved by California voters in 2020, the California Privacy Rights Act established the state’s data protection agency, requires risk assessments for certain types of data processing, permits residents to opt out of automated decisionmaking, and builds on the California Consumer Privacy Act in numerous other ways. EPIC and its partners urged the agency “to continue ‘protect[ing] consumers’ rights’ and ‘strengthening consumer privacy’ at every opportunity, consistent with the expressed will of California voters.” Specifically, the comments call on the agency “to impose rigorous risk assessment obligations on businesses whose data processing activities could reasonably harm individuals’ privacy or security; to maximize the transparency of automated decisionmaking systems and minimize the burdens on individuals who wish to opt out of such systems; and to prevent any exceptions to user-directed limits on the use and disclosure of sensitive personal information from swallowing the rule.” The comments were joined by Consumer Action, the Consumer Federation of America, and New America’s Open Technology Institute. EPIC has previously provided comments on the CCPA and published a detailed analysis of the CPRA before its approval.