CPPA Publishes Proposed Deletion Mechanism / Draft Regulations

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

CPPA Publishes Proposed Deletion Mechanism / Draft Regulations

Ahead of the October 4 board meeting, the California Privacy Protection Agency published for discussion: (1) a presentation detailing a proposed Delete Request and Opt-Out Platform (DROP); (2) data broker registration draft text; (3) updated proposed regulations governing risk assessments and automated decision-making (ADMT), among other matters; and (4) a list of potential future rulemaking topics.

Cover memos accompanying the materials included recommendations that the proposed risk assessment and ADMT regulations, which contain minimal updates from the latest July version, be advanced to formal rulemaking and that the data broker registration text, which has already gone through formal rulemaking, be adopted for codification before the upcoming January 1, 2025 registration cycle. The DROP presentation is not accompanied by draft regulations or explanatory materials. 

TAKEAWAY

The proposed DROP system, which the CPPA is required to make available to consumers by January 1, 2026 pursuant to the Delete Act, would allow consumers to submit deletion requests to individual or ALL registered data brokers through a central mechanism maintained by the CPPA. Consumers would be required to submit at least their email address and could optionally submit additional identifiers, such as their name, phone number, address, DOB and pseudonymous identifiers like MAIDs. Data brokers would query relevant lists (email, phone, MAID) via API every 45 days, process relevant requests and provide an update to the CPPA.

Some notable topics in the “potential future rulemaking” list include requiring specific disclosures for mobile apps to be accessible in the app store prior to downloading, requiring the notice to opt-out of sale/sharing within mobile apps prior to or upon their use, and providing model notices and other disclosures.

EUROPE

CNIL Publishes Final Recommendations for Mobile Apps

The French Data Protection Authority (CNIL) published the final version of its recommendations for mobile app privacy following a public consultation. The recommendations were accompanied by a statement that, starting early Spring 2025, the CNIL will begin monitoring mobile applications to ensure compliance with the rules.

TAKEAWAY

Of note, the recommendations stress that the publisher must ensure that the rights of individuals are respected “even when their practical implementation depends on a third party” and recommends providing users with a rights management center within the application where all rights can be exercised. The recommendations also emphasize that the use of a CMP, in addition to OS-provided permissions, may be necessary where the OS permissions don’t meet the requirements set by the GDPR (e.g., where certain purposes or controllers are not covered by the permission or where withdrawing consent is not as easy as giving it) but cautions that, where choices expressed in the permissions and the CMP differ for the same purpose, consent cannot be considered validly given.

Check out our CMP solution for mobile apps. Capture and syndicate user preferences to comply with privacy regulations like GDPR and various U.S. state privacy laws, and industry frameworks like the IAB’sTCF with Sourcepoint’s CMP for mobile apps.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.