CPRA likely to result in huge privacy compliance costs

This will be especially true for small and medium-sized firms that are “updating and expanding on their already extensive compliance efforts” in connection with the CPRA, cautions the non-profit trade association.

In light of this, the Insights Association has set out a number of recommendations for new regulator the CPPA, including urging it to limit processing that presents a “significant risk” to consumers’ privacy or security to highly sensitive personal information, such as financial account information, as well as limiting it to processing that occurs on a regular basis or a minimum number of times per year.

In addition, such processing should involve at least 100,000 records, given that the statue “contemplates ‘significant risk to consumers’ privacy or security’, language which connotes larger concerns of aggregate risk, not every isolated presentation of risk to any individual consumer or small group of consumers”, said the trade body. Alternatively, the association suggests that the CPPA could “incorporate some numerical trigger into what constitutes ‘significant risk’ processing”.

The CPPA should also consider limiting audit and risk assessment requirement to businesses who meet one of the first two prongs of the CPRA’s business definition. This is because the third prong is not tied in any way to business size or processing volume, according to the Insights Association, which added that “it includes a substantial number of small and medium-sized firms in the market research and data analytics industry.”

Moreover, the CPPA must clarify that the use in research results and reports of “sensitive personal information” is a “reasonably expected” use of information provided in connection with corresponding surveys and research studies. The Insights Association also called on the agency to define “disproportionate effort” as those efforts which “do not, in the reasonable discretion of the business, meaningfully add to the consumer’s understanding of the business’s historical practices”.

The association believes that market research should be exempt from notices of financial incentives. “For our members’ research to be effective, they must ensure robust participation, often through the offering of incentives. For example, a doctor may be offered an honorarium to answer a survey about various pharmaceuticals, or an individual may be offered a gift card to participate in a half-day focus group about the latest television shows.”

Lastly, the CPPA should limit the “authorised agent” concept to minors and elderly or incapacitated individuals. Under CPRA, a consumer can designate an “authorised agent” to submit opt-out requests, and requests to know and delete, without limitation.

Increasingly, association members are “receiving requests from purported authorised agents and are caught between, on one hand, wanting to honour legitimate requests and, on the other, the pervasive concern that the authorised agent mechanism invites fraud”, noted the trade body.