On October 5, 2021, Jennifer Urban, who serves as Chair of the Board the California Privacy Protection Agency (the CPPA) spoke with members of the California Lawyer’s Association about the Board’s work to get the new Agency off the ground, the challenges it faces in doing so and the regulations to be issued under the California Privacy Rights Act (the CPRA). This occasion marked the first time Chair Urban addressed a public audience since her appointment earlier this year to lead the CPPA Board. While Chair Urban spoke at the event as a private citizen and not on behalf of the Board or the Agency, her remarks provided a useful recap of where things stand with the CPPA and what to expect over the coming months.
Chair Urban’s answers to the questions raised during the event provided a succinct summary of the topics discussed at the Board’s September 7 meeting, and she noted her enthusiasm about the selection of Ashkan Soltani as the CPPA’s first Executive Director. Our coverage of the September 7 meeting and the CPPA’s Invitation for Preliminary Comments on Proposed Rulemaking is available here.
The primary topic addressed by Chair Urban—and one that is top of mind for many right now—was the status of the rulemaking under the CPRA. To meet the CPRA’s July 1, 2022 deadline, the final Regulations need to be delivered by the CPPA to the California Office of Administrative Law (the OAL) in mid-May 2022. Given that the Agency itself is just getting off the ground, its goal is to issue a notice of proposed rulemaking by January 2022.
In the meantime, the CPPA issued an Invitation for Preliminary Comments on Proposed Rulemaking on September 22, 2021. Chair Urban emphasized the Board’s desire to receive preliminary comments on any and all topics subject to regulation under the CPRA. She encouraged anyone with an interest in the Regulations to submit comments before the November 8, 2021 deadline. Chair Urban also noted that comments from the bar and privacy practitioners will be particularly helpful for the Agency, as will proposed language for particular rules.
Even as the rulemaking process begins, there are significant challenges to meeting the CPRA’s deadline. Chair Urban discussed some of the options the Board is considering as backups even as it pushes ahead on the rulemaking. These include California’s emergency rulemaking process, which involves an abbreviated public notice and comment period followed by review and approval by the OAL. A regulation adopted under this process remains in effect for 180 days and can become permanent only if adopted through the regular rulemaking process. The Board is also looking at the possibility of a formal extension of the CPRA’s July 1, 2022 deadline and an extension of the enforcement deadline, though those options would require action by the Legislature.
The Board’s next meeting is on October 18, 2021. At that meeting, the Board will address several important topics, including the proposed topics for the CPPA’s preliminary informational hearings, notice to the California Attorney General regarding the assumption of rulemaking authority, and a delegation of certain administrative functions to Executive Director Soltani. The full agenda is available here.
The Board is now organized into three subcommittees. The proposed division of work by subcommittee and the suggested members are as follows:
New CPRA Rules Subcommittee (Vincent Le and Lydia de la Torre):
- Cybersecurity audits
- Risk assessments
- Automated decision-making
- Agency audit authority
Update of CCPA Rules Subcommittee (Jennifer Urban and Angela Sierra):
- Opt-out requests (including preference signals)
- Rights to erase, correct, and know (look-back period, definition of “specific pieces of personal information obtained from the customer,” etc.)
- Use of personal information by contractors/service providers
Rulemaking Process Subcommittee (John Christopher Thompson and Lydia de la Torre):
- Coordinate pre-rulemaking and rulemaking activities (e.g., informational hearings, collection of comments, etc.)
- Make recommendations as to whether rules are needed for certain topics
- Coordinate report on scope of privacy rules that currently apply to insurance corporations
- Suggest additional topics for rulemaking and secure resources
We note that the Invitation for Preliminary Comments was primarily focused on the topics that appear to be characterized as “new CPRA rules,” meaning new rights and obligations under the CPRA and not updates to existing CCPA rules.
BakerHostetler’s Digital Assets and Data Management (DADM) Practice Group will continue to monitor the CPRA rulemaking process. Subscribe to our Data Counsel blog and visit our Consumer Privacy Resource Center for additional information and further updates.