On Feb. 18, Chairperson Jennifer Urban of the California Privacy Protection Agency (CPPA) addressed the California state bar and clarified the announcements that were made during the CPPA board meeting on Feb. 17. Read on for an explanation of the California Privacy Rights Act (CPRA) rulemaking process and brief summaries of the privacy bills in California, including proposed amendments to the CPRA that were filed last week to extend the employee and business-to-business exemptions.

CPRA Rulemaking

During a kickoff of the CPRA Law + Tech Series: Understanding Data, Decisionmaking, and Design, co-hosted by the California Lawyers Association Privacy Law Section and the Future of Privacy Forum, Urban explained that the CPPA is pressing forward with its mandate but is subject to certain statutory limitations. For example, under the Bagley-Keene Open Meeting Act, all CPPA board deliberations must be held in public meetings, reflecting the California State Legislature’s emphasis on transparency that may come at the expense of efficiency. Still, CPPA subcommittees comprised of two board members, short of the three-member threshold to establish a quorum, may perform substantive work and then present in public meetings recommendations to the board.

Urban confirmed that the CPPA will begin formal public deliberations possibly with a draft rulemaking package that the public may be able to see in April. The CPPA board may then direct further refinement of the draft regulations or put them into the formal rulemaking process. Urban further explained that the goal is to have draft regulations issued during the second quarter of 2022, or by June.

She confirmed the year-end target for final regulations and noted that the timing may depend on what unfolds during the public comment process. Regarding enforcement, she acknowledged the concern expressed by stakeholders that if regulations are delayed, there may not be sufficient time to implement new or revised processes to comply with the new regulations; but she could not express a position on postponement in light of the applicable transparency and public participation requirements.

In the meantime, as CPPA Executive Director Ashkan Soltani confirmed on Feb. 17, the CPPA will seek comments informally from experts and stakeholders. Urban emphasized that the CPPA is dedicated to being as accessible as possible to stakeholders and will be reviewing, for example, all comments and questions submitted at CPPA public meetings.

CPRA Amendments

While CPRA rulemaking is slated to begin in March, California legislators have introduced a number of privacy bills that we continue to monitor. Feb. 18 was the last day for individual legislators to introduce bills, and we saw a flurry of bills being proposed, including two proposals to extend the employee and business-to-business exemptions (AB 2871 and AB 2891). 

Committees can still introduce bills where an entire committee is the author, and Aug. 25 is the last day to amend bills, but this rule can also be waived. Aug. 31 is the last day for each house to pass bills for the 2022 legislative session. We continue to monitor the legislative activity, as any of the current bills that were introduced could be vehicles for last-minute amendments and could turn into something completely different.

Below is a chart with short summaries of the pending bills that make up the continually evolving privacy law landscape in California.

Measure Summary
AB 13 Bill introduces the Automated Decision Systems Accountability Act, which relates to the risk of adverse and discriminatory impacts resulting from the design and application of automated decision systems.
AB 35 Bill would require a person who operates a social media platform to disclose whether or not that social media platform has a policy or mechanism in place to address the spread of misinformation.
AB 587 Bill would require a social media company to post its terms of service in a specified manner and with additional specified information.
AB 814 Bill would prohibit data collected, received or prepared for purposes of contact tracing from being used, maintained or disclosed for any purpose other than facilitating contact tracing efforts.
AB 1436 Bill would define and limit use and disclosure of “personal health record information” for purposes of the Confidentiality of Medical Information Act.
AB 2273 Bill introduces the California Age-Appropriate Design Code Act, which relates to standards for businesses that create goods, services or product features likely to be accessed by children.
AB 2372 Bill would amend the Insurance Information and Privacy Protection Act to establish revised notice requirements for the collection, use and disclosure of information gathered in connection with insurance transactions by insurance institutions and agents as well as insurance-support organizations.
AB 2392 Bill relates to the requirement that manufacturers of connected devices equip them with a reasonable security feature or features.
AB 2486 Bill would create, in the CPPA, the Office for the Protection of Children Online.
AB 2871 Bill would extend indefinitely the employee and business-to-business exemptions under the California Consumer Privacy Act (CCPA), which are currently set to expire on Jan. 1, 2023.
AB 2879 Bill would amend the Student Online Personal Information Protection Act, which relates to restrictions on the use of student data, including a prohibition on targeted advertising, and would require cyberbullying reports by website operators.
AB 2891 Bill would extend until Jan. 1, 2026, the employee and business-to-business exemptions under the CCPA.
SB 746 Bill would grant to consumers a new right under the CCPA to request that a business disclose to the consumer whether or not the business uses personal information collected about the consumer for a political purpose.
SB 1172 Bill would amend the CPRA to prohibit a business providing proctoring services in an educational setting from collecting, retaining, using or disclosing personal information except to the extent necessary to provide those proctoring services.
SB 1189 Bill would amend the CPRA to require a private entity in possession of biometric information to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information.
SB 1216 Bill would require the Secretary of the Government Operations Agency to establish and appoint the Deepfake Working Group.