Comment on CCPA/CPRA Rulemaking
Photo by Rezaul Karim on Unsplash
Below, you’ll find the comment I submitted to the California Privacy Protection Agency, in which I offered my perspective on their draft regulations.
Re: NOTICE OF MODIFCATIONS TO TEXT OF PROPOSED REGULATIONS AND ADDITION OF DOCUMENTS AND INFORMATION TO RULEMAKING FILE [OAL FILE NO. 2022-0628-02]
Dear Mr. Soublet and the California Privacy Protection Agency,
I am submitting comments on the California Privacy Protection Agency’s (CPPA) Modified Text of Proposed Regulations as announced in the agency’s Notice of Modifications to Text of Proposed Regulations. Thank you for the opportunity to comment on this most recent round of regulations to effectuate the amendments to the “California Consumer Privacy Act of 2018” (AB 375) (CCPA) made by voters via Proposition 24 (aka “California Privacy Rights Act (CPRA)).
I am an attorney[1] in private practice who specializes in technology law, policy, and politics with over 15 years of experience as United States (U.S.) Congressional staff and a lobbyist and lawyer. I have deep subject matter knowledge in data protection, data privacy, data security, cybersecurity, Internet of Things (IoT), U.S. government procurement, health data protection, international data flows, U.S. surveillance law, and other areas. At present, I write and publish a subscription newsletter, The Wavelength, that covers technology developments in the United States, the European Union, and elsewhere. I have written extensively on the CCPA, various bills in the California legislature to amend the CCPA, the CPRA, and many of the bills introduced in the U.S. Congress to alter U.S. privacy law.[2] I also consult, and, in the interest of full disclosure, I have no clients with interests in this rulemaking.
I would offer the following suggestions and observations to help the CPPA write regulations that will strengthen privacy rights in California, a primary goal of both the CCPA and CPRA.
Subsection (a) of “§ 7002. Restrictions on the Collection and Use of Personal Information” contains provisions the CPPA may not have the statutory authority to promulgate. To wit, Civil Code 1798.100(c) provides in relevant part:
A business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed…
And so, § 7002(a)’s first sentence tracks with this statutory provision. The potential problem comes in the next line when the CPPA seeks to construe what is “reasonably necessary and proportionate” in Civil Code section 1798.100(c) and asserts that to meet this standard the “business’s collection, use, retention, and/or sharing must be consistent with what an average consumer would expect when the personal information was collected.” It is the use of the “average consumer” standard that may be outside the CPPA’s remit. The CCPA uses an “average consumer” standard in a few places, notably in Civil Code section 1798.121 which states:
A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services, to perform the services…
That the CCPA as amended via ballot uses “average consumer” in some places and not others suggest this standard was not to be used for determining reasonably necessary and proportionate for the collection and use of personal information. While an “average consumer” standard has its merits in terms of being easily defined and easily administered, the fact remains that this standard does not have a basis in the relevant section of the CCPA. Moreover, such a standard is apt to permit personal information collection, usage, and disclosure beyond what “reasonably necessary and proportionate” would. Using a reasonably necessary and proportionate standard would convey to all players in the data ecosystem that the minimum amount of personal information needed to provide a service or product is the target they need to meet and not the more expansive “average consumer” standard.
Moreover, it should also be noted that using an average consumer standard can result in a moving target for businesses as the expectations of the average consumer change over time. It is conceivable that the average consumer comes to see increasingly egregious data collection and processing practices as reasonably necessary and proportionate. As matters stand, according to polling data, “that roughly six-in-ten U.S. adults say they do not think it is possible to go through daily life without having data collected about them by companies or the government” (emphasis in the original.)[3] Thus this reason also lends itself to arguing against the use of the average consumer threshold in § 7002.
§ 7004(a)(3) should be expanded through a provision barring businesses from offering two options, say for the selling of sharing personal information, with the choice that would permit the business to sell or share being the default. One frequently encounters this choice architecture online where a website is seeking one’s consent to use cookies and the choice that would allow the business to do so is already chosen, leading a distracted or unfocused person to click on the default choice. Regulators have documented evidence that use of dark patterns in this manner often affects user behavior in ways that can be harmful to them.[4] This practice should be barred so that Californians will be able to choose freely when presented choices per the CCPA.
§ 7011(e)(1)(B) is one of the instances in the draft regulations where the agency references “categories of sources” of personal information businesses will have a responsibility to share with consumers. The CCPA is clear on what categories of personal information and sensitive personal information are but is silent on “categories of sources.” However, the regulations lack guidance on what the categories of sources should be, leaving the matter to businesses to decide how to categorize and convey to consumers the sources from which personal information, and in some cases, sensitive personal information, are obtained. The CPPA should give consideration to writing a new subsection that would provide parameters for businesses to meet in divulging categories of sources, or at the least provide illustrative examples. This is an issue throughout the draft regulations wherever “categories of sources” is used.
A similar issue is apparent in § 7011(e)(1)(C) with “commercial purposes.” As with “categories of sources,” this term is not defined in the CCPA and not construed in the regulations but used in many places. Presumably, most purposes that are not illegal and not “business purposes” would be considered commercial purposes. The agency might give thought to defining the term as a way to fill a gap in the CCPA or to providing some examples of commercial purposes so businesses will understand how and what they need to be telling consumers.
A crucial caveat needs to be added to §7011(e)(2)(D) and (E), specifically that consumers may opt out of the sale or sharing of personal information and sensitive personal information at any time. Otherwise, businesses may omit this key part of the right, and only those Californians who have read the law and regulations will know this right can be exercised at any time.
In § 7012(c)(3), I have misgivings about the requirements for mobile applications regarding the Notice at Collection. Unlike the requirements for online collection that mandates a link on webpages, mobile applications would be permitted to “provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.” Hence, it is likely for mobile applications that links to the Notice at Collection will be placed on the download page and in the settings menu, two of the least conspicuous sites to notify users. It would be more effective to have the Notice at Collection provided to users when the application has launched and users may interact it with it.
§ 7013 would permit businesses to either post a “Do Not Sell or Share My Personal Information” link giving immediate effect to a consumer’s choice or “to a webpage where the consumer can learn about and make that choice.” This is antithetical to symmetry principles in § 7004 because it is likely many businesses will opt for the two-step process in the hopes the extra step will dissuade users or the consumer will not opt out based on what they read on the second page. It would be more empowering to consumers if businesses were required to post a “Do Not Sell or Share My Personal Information” link and an additional link “to a webpage where the consumer can learn about and make that choice.” Hence, consumers would be in a position to immediately opt out of the sale or sharing of personal information or learn more should they choose. Giving businesses a choice will result in a number taking the opportunity to place an extra step in the process.
Much the same issue is present in § 7014 as in § 7013 regarding giving businesses the option of including an extra step in providing consumers a “Limit the Use of My Sensitive Personal Information” link. As with the “Do Not Sell or Share My Personal Information” link, businesses would again have the choice to let consumers immediately effectuate their preference by clicking on the link or to “lead the consumer to a webpage where the consumer can learn about and make that choice.” This again adds steps. Again, I suggest that businesses be allowed to just post “Limit the Use of My Sensitive Personal Information” link or this link and another that leads people to more information.
§ 7014(f) would be improved with greater specificity about how businesses should describe the right to limit use and disclosure in its Notice of Right to Limit. Otherwise, the CPPA and consumers may find great variation across these notices and perhaps obfuscation designed to confuse consumers.
Moreover, Civil Code section 1798.121(b) bars the use or disclosure of sensitive personal information after a consumer has exercised her right to limit unless she subsequently consents. The statute and regulations are silent on how frequently a business may ask a consumer for consent to essentially reverse his decision to opt to limit use and disclosure. This seems like a gap the agency should address with guidance if not new regulations that would prevent the foreseeable situation where some online businesses or mobile applications would constantly ask those who have opted to limit the use and disclosure of sensitive personal information to reverse their decisions.
The Alternative Opt-Out Link regulations in § 7015 need revision to make clearer to consumers what the link would do. As written, businesses could give “a single, clearly-labeled link that allows consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links.” However, if businesses post a link labeled “Alternative Opt-Out,” many people may not understand what this choice entails and so may not click on the link which provides an explanation. It would be more effective to require a short description of the “Alternate Opt-Out” option as part of the link that makes clear this option allows consumers to both stop the selling and sharing of personal information and limiting the use and disclosure of sensitive personal information.
The requirement in § 7016(d) that businesses, among other information, must furnish a “good-faith estimate of the value of the consumer’s data” and “[a] description of the method(s) the business used to calculate the value of the consumer’s data” may pose difficulties. Some businesses may opt for overly confusing or complex information so as to ward off scrutiny by the CPPA and consumers. The agency should consider adding what might be considered a requirement that these portions of the financial incentives disclosures meet the requirements of § 7003(a) and § 7003(b) (i.e. mathematical language that is “easy to read and understandable to consumers” and uses “plain, straightforward language and avoid technical or legal jargon.”) Such a requirement would make clear the financial proposition before consumers in a financial incentive program.
Regarding methods for submitting requests to delete, correct, and know in § 7020, in subsections (a) and (b), the agency might give thought about providing a bit more detail on what constitutes a “direct relationship.” This concern is raised because some businesses may opt to liberally construe what is a “direct relationship” (e.g. a media site claiming visits constitute a direct relationship as opposed to something more substantial like a subscription or purchases.) The motivation for broadly construing this term would be to limit their responsibility in providing means for consumers to contact them to exercise their rights. Not only might this save such a business administrative trouble but it may also function as a means of making it harder to exercise rights that could decrease the value of data businesses are collecting, processing, and sharing.
In the same vein, § 7020(d)’s bifurcated process for exercising one’s right to delete invites mischief from some businesses even with the caveat that they observe § 7004. A better model would be having the online process ask the person twice if they want to delete on the same webpage. Moreover, the CCPA does not call for a two-step process in exercising this right.
§ 7022(a) would be improved with language mandating that in denials of a request to delete businesses explain generally verification requirements for requests to delete so that consumers will better understand the type of information they need to furnish.
The CPPA might consider expanding the scope of the personal information service providers and contractors must delete in § 7022(b)(2). Civil Code section 1798.105(c)(3) provides:
A service provider or contractor shall cooperate with the business in responding to a verifiable consumer request, and at the direction of the business, shall delete…personal information about the consumer collected, used, processed, or retained by the service provider or the contractor (emphasis added.)
While Civil Code section 1798.105(a) provides that businesses need only delete personal information they collected from a consumer, meaning personal information obtained from other means need not be deleted, subsection (c)(3) requires the services providers and contractors of businesses to respond to requests to delete “personal information about the consumer collected, used, processed, or retained by the service provider or the contractor.” Thus, the plain language of the CCPA would allow the CPPA to require service providers and contractors to delete all personal information of a consumer if she makes that request regardless of where it was acquired.
Elsewhere in § 7022, the agency should expand on what constitutes “impossibility” or “disproportionate effort.” As with other undefined or ambiguous terms, these will undoubtedly be read in ways that do not accrue to the benefit of consumers.
The CPPA should add a timeframe under which a business, service provider, or contractor should delete personal information on archived or backup systems per the verified request of a consumer in § 7022(d). Recognizing that it is impractical to set a deadline of 45 days, a deadline of three to six months may be appropriate in giving businesses, service providers, contractors, and third parties sufficient time to comply with requests while also ensuring requests will be completed in a specified timeframe. The same concern is raised by similar language in other sections of the regulations such as § 7023(c), and I suggest a similar change in those places.
In § 7022(g), the CPPA should consider requiring businesses to include in their denials of request to delete information about and an offer for the consumer to opt out of the sale and sharing of their personal information. If the agency added this requirement, then there would be question about the timeframe within which this offer must be made. As matters stand, the provision could be read as permitting a business to wait in making the offer to the requester to opt of the selling and sharing of personal information.
In § 7022(h), the agency should add a requirement that this subsection must comport with § 7004 on dark patterns, in particular, as there is the potential for the some businesses to try to use deceptive means to get consumers to choose to delete less personal information. Moreover, the choice put to consumers should be clear and easily understandable regarding the categories of personal information they can have deleted instead of all their personal information.
The revised regulations should be changed back to they were originally written with respect to § 7023(i) in that businesses should be required to “provide the consumer with the name of the source from which the business received the alleged inaccurate information.” Otherwise, a consumer seeking the source of inaccurate information would be in the Kafkaesque situation of being unable to trace the origin of wrong information. Businesses should be required to make a good faith effort to share what they know about the source of inaccurate information short of revealing confidential information or trade secrets, of course.
§ 7024(k)(3) does not match the CCPA in terms of the disclosure a business must make to a consumer under a request to know. Civil Code section 1798.110(c)(3) requires that a business that collects personal information about consumers must disclose, among other information, “[t]he business or commercial purpose for collecting, selling, or sharing personal information.” However, § 7024(k)(3) merely requires the disclosure of “[t]he business or commercial purpose for which it collected or sold the personal information.” In order to ensure that the regulations meet the CCPA the business and commercial purposes for sharing personal information must be added to § 7024(k)(3).
In the subsection on Opt-Out Preference Signals, I have concerns that the language in subsection § 7025(b)(1) directing businesses to accept these signals if they are “in a format commonly used and recognized by businesses.” This provision could allow some businesses to reject some opt-out preference signals on the grounds the business does not consider them commonly used. It would be well if the CPPA added a provision to the regulations directing businesses to a list the agency would maintain on the signals it deems commonly used.
§ 7025(c)(5) is not clearly written and needs revision as it is not intelligible. Perhaps the agency intended to write regulations to address situations like the illustrative example in (c)(7)(B) in that “Business O may inform Noelle that her opt-out preference signal differs from her current privacy settings and provide her with an opportunity to consent to the sale or sharing of her personal information, but it must process the request to opt-out of sale/sharing unless Noelle instructs otherwise.” If the agency means to bar businesses from interpreting a lack of answer or response to a warning that a consumer’s opt-out preference signal is at odds with a previous arrangement to sell or share their personal information, then this section should be rewritten along the lines of:
Where the consumer is known to the business [and permits the sale or sharing of personal information], the business shall not interpret the absence of [a response to notification that the opt-out preference signal differs from the previously granted consent to sell or share personal information] after the consumer sent an opt-out preference signal as consent to opt-in to the sale or sharing of personal information (with bracketed language being additions to the regulations.)
In order to ensure that consumers are fully informed and knowledgeable about how their personal information is used, § 7025(c)(6) should revert to its previous form in requiring businesses to confirm a consumer has opted out. If there is not some confirmation, then a consumer may think he has opted out of the selling or sharing of his personal information or has limited the use and disclosure of sensitive personal information but has not. Therefore the consumer may continue using a website, product, or service wrongly thinking his intentions have been honored. This would be contrary to one of the CCPA’s goals: that consumers have “the information necessary to exercise meaningful control over businesses’ use of their personal information.”
§ 7025(d) should be amended to require businesses to maintain records of which consumers have opted out and that any such records can only be used for this purpose. Such a change would provide evidence in the event of an enforcement action that would show whether a business is complying with the CCPA and its regulations.
§ 7025(e) appears contrary to the CCPA. It gives me no pleasure to disagree with the CPPA’s interpretation of Civil Code section 1798.135(b)(1) and (3), but my read of the statute is contrary to the agency’s drafted regulations and the explanation provided in the “Initial Statement of Reasons.” 1798.135(b)(3) clearly establishes that “[a] business that complies with subdivision (a) is not required to comply with subdivision (b).” Of course, subdivision (a) establishes the requirements of the “Do Not Sell or share My Personal Information” and the “Limit the Use of My Sensitive Personal Information” links along with “a single, clearly labeled link” in lieu of having both the aforementioned links.
Subdivision (b)(1) of Civil Code section 1798.135 states “[a] business shall not be required to comply with subdivision (a) if the business allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer’s consent by a platform, technology…” If this were the extent of requirements on the parameters of links and opt-out preference signals, weight would be given to the CPPA’s interpretation in § 7025(e) that “[e]ven if the business posts the above-referenced links, the business must still process opt-out preference signals.” However, as noted above, 1798.135(b)(3) clearly establishes that “[a] business that complies with subdivision (a) is not required to comply with subdivision (b).” Consequently, requiring businesses that opt for subdivision (a) to also honor subdivision (b) is against the will of the voters who agreed to Proposition 24. This must be removed from the regulations, for the agency will inevitably be challenged in court at the risk of losing.
In § 7025(f)(3) businesses are prohibited from displaying “a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal.” And yet, § 7025(c)(6) permits a business to “display on its website “Opt-Out Preference Signal Honored” when a browser, device, or consumer using an opt-out preference signal visits the website, or display through a toggle or radio button that the consumer has opted out of the sale of their personal information.” It would appear that some clarification is needed with respect to what a “notification” is for purposes of the prohibition in (f)(3) because the feature businesses may use per (c)(6) seems very much like a notification.
§ 7026(f)(1) sets a definite 15 day deadline by which businesses must stop selling or sharing personal information which matches § 7027(g) with respect to limiting the use and disclosure of sensitive personal information. The CPPA should consider the benefits to consumers of setting definite deadlines by which businesses must comply with verified requests to delete, correct, and know. § 7021 details the timeline for business responses to and processing of requests but is silent on the timeframe within which action is required on a verified request. The agency should consider a deadline that is fair to both businesses and consumers so there is clarity about when a verified request should be completed.
Additionally, the agency should rewrite § 7027(h) to require businesses to confirm receipt of and compliance with a request to limit use and disclosure of sensitive personal information. Thus consumers can be sure that their request was processed and being honored. The proposed means by which a consumer would learn whether their request has been effectuated places the onus on the consumer. The business must inform service providers, contractors, and third parties, so additional notice to the consumer is a marginal burden at worst.
§ 7053(a)(3) should be changed to require contracts between businesses and third parties to mandate that the latter must “comply with a consumer’s request to opt-out of sale/sharing forwarded to it by a first party business.” Civil Code section 1798.100(d) makes abundantly clear in subsection (2) that contracts with third parties obligates these entities “to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.” If third parties are not required to honor opt-out requests because their contracts with businesses may not require doing so under the regulations, then they cannot be said to be complying with the “applicable obligations” under the CCPA. Hence, § 7053(a)(3) should require that contracts between businesses and third parties so that the latter will understand clearly their legal obligations.
The CPPA should give thought to establishing what a “more stringent verification process” means with respect to the provisions in § 7060(c)(3). It seems probable and foreseeable that some businesses will read this phrase as requiring the setting of a standard so high that many requests will not be verified.
§§ 7060, 7061, and 7062 need language making clear to businesses that weaponizing the verification process as a means of defeating properly submitted consumer requests is a violation of the CCPA. At least one study has found that, at present, some businesses in California seem to be making verification as hard as possible to ward off consumer requests.[5] Moreover, as the agency is likely well aware of, many of the Attorney General’s case examples relate to issues with consumer requests and verification.[6] Should the CPPA add language emphasizing that intentional efforts to complicate their process for processing and verifying consumer requests violate the CCPA, the agency should consider adding it to the sections of the regulations on the rights to delete, correct, know, opt-out of the sale and sharing of personal information, and to limit the use and disclosure of sensitive personal information.
In the same vein, in light of the ample latitude given to businesses in verifying the identity of adults for the exercise of CCPA rights, the methods of verifying the identity of a child’s parent are much less rigorous with respect to consent to sell or share a child’s personal information. For example, § 7070(a)(2) permits businesses to rely on a phone call with a parent or a guardian to allow the personal information of a more vulnerable group of individuals to be sold or shared. In light of language on verification for adults, t is paradoxical that the methods for verifying the identities are lax for a class of individuals intended to receive higher protection under the CCPA. The agency might consider permitting adults — again, a group that would receive less protection generally — to use the same identity verification methods for themselves that they can avail themselves of for their children. The same is applicable to adults’ identity verification visa a vis the methods of identity verification in § 7070(c) for determining a parent or guardian’s identity for purposes for exercising the rights to delete, correct, and know.
Given the statute of limitations in Civil Code sections 1798.199.70 and 1798.199.75(b), the CPPA might consider extending the period that businesses must maintain records of consumer requests to match accordingly in § 7101 to more than two years.
Even though I agree with § 7102 “Requirements for Businesses Collecting Large Amounts of Personal Information” on a policy basis, there is scant basis for these provisions in the CCPA. Of course, the Attorney General, and now the CCPA, were given wide discretion in Civil Code 1798.185(a) “adopt regulations to further the purposes of this title, including, but not limited to, the following areas,” but a higher set of requirements for the holders of large amounts of data is not evidenced anywhere else in the CCPA. Accordingly, the agency should strike these provisions.
Civil Code section 1798.185 directs the CPPA to undertake a rulemaking, which it has done in substantial part. However, the agency did not address a number of issues the amended CCPA requires. For example, Civil Code section 1798.185(a)(12) directs the Attorney General “to further define “intentionally interacts,” with the goal of maximizing consumer privacy.” However, as I probably do not need to remind the CPPA, it assumed the Attorney General’s rulemaking authority on April 21, 2022. Hence, the onus falls on the CPPA to fulfill the will of the voters of California who voted to approve Proposition 24 in part through meeting all the rulemaking requirements. And yet, a number of items the CPRA directed the CPPA to include are not in the revised regulations.
Likewise, the present regulations do not meet these other requirements in Civil Code section 1798.185:
§ (12) Issuing regulations to further define “intentionally interacts,” with the goal of maximizing consumer privacy.
§ (13) Issuing regulations to further define “precise geolocation,” including if the size defined is not sufficient to protect consumer privacy in sparsely populated areas or when the personal information is used for normal operational purposes, including billing.
§ (14) Issuing regulations to define the term “specific pieces of information obtained from the consumer” with the goal of maximizing a consumer’s right to access relevant personal information while minimizing the delivery of information to a consumer that would not be useful to the consumer, including system log information and other technical data. For delivery of the most sensitive personal information, the regulations may require a higher standard of authentication provided that the agency shall monitor the impact of the higher standard on the right of consumers to obtain their personal information to ensure that the requirements of verification do not result in the unreasonable denial of verifiable consumer requests.
§ (15) Issuing regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to:
o Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.
o Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting the processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public. Nothing in this section shall require a business to divulge trade secrets.
§ (17) Issuing regulations to further define a “law enforcement agency-approved investigation” for purposes of the exception in paragraph (2) of subdivision (a) of Section 1798.145.
I would urge the CPPA to promulgate the regulations necessary to effectuate these sections of the CCPA.
[1] Member of the Bar Associations in the District of Columbia and Maryland.
[2] A sample of articles includes: Privacy Bill Revived and Revised in Washington State, Michael Kans Blog (February 4, 2020), https://michaelkans.blog/2020/02/04/privacy-bill-revived-and-revised-in-washington-state/; Third Set of Draft CCPA Regulations Released For Comment Michael Kans Blog (March 20, 2020), https://michaelkans.blog/2020/03/20/third-set-of-draft-ccpa-regulations-released-for-comment/; CCPA 2.0 Backers Submit Ballot Initiative for November Election, Michael Kans Blog (May 9, 2020), https://michaelkans.blog/2020/05/09/ccpa-2-0-backers-submit-ballot-initiative-for-november-election/; CPRA Analyzed, Michael Kans Blog (August 28, 2020), https://michaelkans.blog/2020/08/28/cpra-analyzed/; CPRA From Another View, Michael Kans Blog (September 2, 2020), https://michaelkans.blog/2020/09/02/cpra-from-another-view/; Two State Privacy Bills Advance, The Wavelength (March 9, 2021),
; Washington State Privacy Act Advances, The Wavelength (April 6, 2021),
; Utah’s Privacy Bill, The Wavelength (March 8, 2022),
; Three of the Four Top Privacy Stakeholders Float A Compromise Discussion Draft, The Wavelength (June 6, 2022), https://the-wavelength.ghost.io/three-of-the-four-top-privacy-stakeholders-float-a-muddled-discussion-draft/; California Proposes New Regulations To Implement CCPA Rewrite, The Wavelength (June 9, 2022), https://the-wavelength.ghost.io/california-proposes-new-regulations-tom-implement-ccpa-rewrite/; California Enacts New Privacy Regime For Children Aligned With Britain’s, The Wavelength (September 15, 2022), https://the-wavelength.ghost.io/california-enacts-new-privacy-regime-for-children-aligned-with-britains/; and ADPPA vs. CPRA, The Wavelength (September 29, 2022), https://the-wavelength.ghost.io/adppa-vs-cpra/.
[3] Brooke Auxier, Lee Rainie, Monica Anderson, Andrew Perrin, Madhu Kumar and Erica Turner, Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, Pew Research Center (November 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/.
[4] Competition and Markets Authority, Online Choice Architecture: How digital design can harm competition and consumers, (April 2022), Page 17, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1066524/Online_choice_architecture_discussion_paper.pdf; Federal Trade Commission, Bringing Dark Patterns to Light, (September 2022), https://www.ftc.gov/system/files/ftc_gov/pdf/P214800%20Dark%20Patterns%20Report%209.14.2022%20-%20FINAL.pdf.
[5] Kaveh Waddell, California's New Privacy Rights Are Tough to Use, Consumer Reports Study Finds, Consumer Reports (March 16, 2021), https://www.consumerreports.org/privacy/californias-new-privacy-rights-are-tough-to-use-a1497188573/.
[6] CCPA Enforcement Case Examples, California Attorney General, https://oag.ca.gov/privacy/ccpa/enforcement.