Comment Letter to Implement the California Privacy Rights Act (CPRA) in CA Privacy Regulations

Re: Notice of Proposed Rulemaking, California Privacy Protection Agency; California Privacy Rights Act of 2020 (November 3, 2022)

To Whom It May Concern:

            The U.S. Chamber of Commerce’s Technology Engagement Center (“Chamber” or “C_TEC”) appreciates the opportunity to provide public comment on its Modified Proposed Rules to amend California’s privacy regulations to implement the California Privacy Rights Act (“CPRA”).[1] Consumers deserve strong privacy protections and innovative products as services. Businesses need certainty, uniformity, and protections against abusive litigation. It is for this reason that the Chamber supports national privacy legislation that does all these things. The California Privacy Protection Agency’s (“CPPA” or “Agency”) proposed rules will impact businesses beyond the borders of the Golden State. Therefore, we offer the following comments promoting consumer protection and business clarity that fall within the limits of CPRA.[2]

I. The Agency Should Align the Consent Requirements in Section 7002 with the CPRA.

Secondary uses of data are instrumental in serving consumers better as well as helping solve many of society’s greatest challenges and providing a public interest benefit.[3] For example, secondary data is being used to combat online fraud, expand financial inclusion, and examine social determinants of health. It is critical for these societally beneficial uses of data to continue to be reaped. This would allow flexibility while protecting consumers’ rights in this matter so as not to dry up the data pools necessary to achieve these positive goals of public safety and inclusion.

The Modified Proposed Regulations regarding the use of secondary data establishes separate standards for assessing the consumer’s reasonable expectations and whether a disclosed purpose of processing is compatible with the context in which the personal information was collected. This creates potential confusion and gives the CPPA too much discretion to ignore disclosures made to consumers.

The Modified Proposed Regulations would require “consent…before collecting or processing the consumer’s personal information for any purpose” that is not considered  “reasonably necessary and proportionate to achieve…the purposes for which the information was collection” or “…another disclosed purpose that is compatible with the context in which the personal information was collected…”[4] The Chamber urges the CPPA to align the regulations with the CPRA by clarifying that a business may use personal information for purposes that are compatible with any purpose disclosed at the time of collection.[5]

II. The Proposed Global Opt-Out Mandate Exceeds the CPPA’s Statutory Authority.

Section 7025 of the Proposed Regulations mandates obligations on businesses who receive opt-out preference signals and to treat such signals as a verified request to opt-out. Specifically, Section 7025(b) states “[a] business that sells or shares personal information shall process any opt-out preference signal that meets the following requirements as a valid request to opt-out of sale/sharing.”[6]  The CPRA does not authorize the CPPA to legislate this new mandate.

 The CPRA provides companies with an option of one of two methods to honor a request by a consumer to opt-out of the “selling” or “sharing” of personal information. One method to honor a verified opt-out request is to post a “Do Not Sell or Share My Personal Information” link and if applicable, a “Limit the Use of My Sensitive Personal Information” link.[7] Alternatively, businesses do not need to offer such a link “if the business allows consumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal…”[8] The statute’s use of the word “if” makes it clear that CPRA treats responses to opt-out preference signals as voluntary. The voluntary nature of opt-out preference signals is further evidenced by other language such as “[a] business that allows consumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information pursuant to paragraph (1) may provide a link to a web page that enables the consumer to consent to the business ignoring the opt-out preference signal….”[9]

As many of the Chamber’s members operate nationwide including in the state of California, it is in the interest of both consumers and the business community to eliminate confusion and potentially conflicting data rights.  For this reason, Section 7025(b) should be revised to conform to CPRA and treat recognition of global opt-out preference signals as voluntary and not mandatory.

Giving businesses the flexibility with respect to recognizing a global opt-out preference signal, as envisioned by the statute, is important. There are many uncertainties regarding how such signals would be implemented, how businesses are to treat multiple global opt preference signals that could conflict, and how to ensure that  such signals do not have anti-competitive consequences. There is currently no universal opt-out preference signal capable of effectively communicating a consumer’s opt-out preferences to all websites, online platforms, or mobile applications. Universal opt-preference signals should be an optional method to honor opt-outs as outlined in the statute.

Moreover, the proposed regulations ignore important statutory requirements designed to ensure consumers make informed opt-out choices. In particular, the Agency should ensure that any global opt-out preference is free of defaults that presuppose consumer intent, is clearly described and easy to use, and does not conflict with other commonly used privacy settings. A mechanism that fails to accurately identify California residents and inform them of the specific privacy choices under the CPRA would not meet the statutory requirements for obtaining informed consumer consent.

III. Fair Enforcement Timelines

CPRA requires the CPPA to finalize all implementing regulations by July 1, 2022—12 months prior to the date of CPRA enforcement.[10] Companies now run the risk of being in violation of the Act without receiving needed clarity for compliance because the Agency has not finalized all required rulemakings. This is even made more of a concern by the fact that California’s exemption for business-to-business contact data and employee data will lapse at the end of the year.

The CPPA should delay both the effective and enforcement dates in light of the delayed rulemaking. CPPA should not retroactively enforce as well where it has failed to finalize regulations.  The draft regulations establish a purely discretionary standard, which does not provide businesses with the needed time or certainty.  At a minimum, there should be at least six months before the finalization of the implementing regulations and the effective date. Businesses are currently in the untenable position of trying to comply with the CPRA without finalized regulations.

IV. Conclusion

The Chamber stands ready to work with you to ensure that the CPPA protects the laudable goals of giving consumers the right to access, correct, delete, and opt-out of sharing information among others. At the same time, we urge the Agency to pursue fair enforcement and carefully follow the statutory text which will provide the certainty needed for a thriving innovation economy.

If you have any further questions and need clarification, please contact me at or (202) 578-0009.


Jordan Crenshaw
Vice President
Chamber Technology Engagement Center
U.S. Chamber of Commerce


[2] The Chamber previously filed comments in August 2022 regarding the initial proposed rules for CPRA and continues to articulate the same concerns addressed therein at


[4] Modified Proposed Regulations § 7002(a),(e).


[6] Proposed Regulations § 7025(b).

[7] Cal. Civ. Code § 1798.135(a).

[8] Id. At § 1798.135(b)(1) (emphasis added).

[9] Id. At 1798.135(b)(2) (emphasis added).

[10] Cal. Civ. Code § 1798.185(d)