A trade association is pushing back on plans by the California Privacy Protection Agency (CPPA) to approve new cybersecurity regulations that critics say are burdensome, rigid, ineffective and at odds with existing federal rules.
The American Financial Services Association (AFSA), which represents the consumer credit industry, sent a letter to the CPPA Jan. 15 complaining about the agency's proposals to modify the California Consumer Privacy Act. The state agency is tasked with improving consumer privacy protections and working to keep consumers’ personal data safe.
“The scope of the proposed regulations, particularly with regard to cybersecurity programs, risk assessments, and definitions such as ADMT (automated decision-making technology) and behavioral advertising, appears to exceed statutory limits,” the CPPA said in its letter. “These issues, along with the impracticality of compliance with several provisions, warrant careful reconsideration.”
In response to the wildfires that destroyed lives and property in Southern California, the agency extended its public comment period on the proposed new rules. The deadline for public comment is now Feb. 19.
“AFSA believes the proposed CCPA (California Consumer Protection Act) regulations go way beyond the law and ignore the risk of inadvertently providing fraudsters with a roadmap to get better at committing fraud,” the association’s spokesman, Ed McFadden, told the Southern California Record in an email. “We are hopeful that the CPPA modifies the regulations with all of our suggestions in mind.”
Of particular concern to the financial-services industry are rules for cybersecurity audits designed to prevent data breaches, which have led to cases of identity theft and class-action lawsuits. The CPPA’s proposed audit regulations are simply too onerous and top-down, according to the Jan. 15 letter.
“The CPPA’s role should be limited to requiring businesses to conduct annual cybersecurity audits, defining the general scope of such audits, and ensuring that they are thorough and independent,” the letter says. “The regulations should avoid imposing specific security processes on businesses.”
The proposals are out of sync with current requirements for federally regulated banks and credit unions, according to the letter, and exceed the agency’s authority for regulating such institutions. The effect is to require businesses to comply with auditing rules in extensive detail, the AFSA contends.
“This effectively duplicates efforts for federally regulated institutions already subject to comprehensive audit requirements,” the letter states. “To avoid redundancy, the CPPA should exempt businesses meeting federal audit standards from additional state-specific requirements.”
The rule provisions calling on businesses to conduct risk assessments to determine potential consumer harm from the processing of data go beyond businesses’ normal expertise, the AFSA said. The proposals include assessing psychological harms, emotional stress, anxiety and embarrassment from potential data leaks.
The regulatory proposals also fall short on protecting proprietary information, according to the letter.
“The statutory mandate for risk assessments explicitly protects businesses from being required to divulge trade secrets,” the letter states. “However, this principle is missing from the proposed regulations. To address this omission, the regulations must include explicit provisions that protect trade secrets and intellectual property from disclosure during compliance.”
The AFSA also objected to the agency's crafting of definitions of ADMT and behavioral advertising, which examines consumers’ internet activity to direct advertising personalized for them. These definitions are too broad and expand privacy rights beyond the scope of the law, the letter contends.