By Justin Yedor, Stanton Burke, and Jeewon K. Serrato
For businesses awaiting guidance on how to comply with the California Privacy Rights Act (the “CPRA”), the new California Privacy Protection Agency (“CPPA”) began the rulemaking process on September 22, 2021 with an Invitation for Preliminary Comments on Proposed Rulemaking (the “Invitation for Comment”). In the Invitation for Comment, the CPPA specifically highlights eight areas in which the Agency is particularly interested in receiving comments, though it welcomes comments in any other area subject to regulation under the CPRA. The Agency also published Tips for Submitting Effective Comments to help guide the process. The deadline to submit comments is November 8, 2021. Read below for practical takeaways on the CPRA rulemaking process and why businesses may want to participate.
The CPPA’s Plan for Promulgating Regulations
The CPRA established the CPPA as a first-of-its-kind administrative agency solely dedicated to protecting the privacy of Californians’ personal information. The CPPA is charged with enforcing the CPRA as well as issuing regulations interpreting the statute. The CPRA specifically lists 22 topics to be addressed by the regulations. As we saw with the California Consumer Privacy Act (the “CCPA”), the contents of these regulations can be crucial in understanding how to comply with the law. With the CPRA going into effect on January 1, 2023, businesses now have 15 months to complete the compliance program for the CPRA.
Since the CPPA Board members were appointed in March 2021, the Board has begun to build out the Agency, including a search for its Executive Director. When the CPPA Board met on September 7, 2021 (meeting materials are available here), the Board discussed several items critical to establishing the new agency, including hiring staff, securing office space, adopting policies to govern the Board itself, and setting a more frequent cadence for Board meetings (for example, the next meeting is on September 24). In addition, several Board members expressed concerns that the newly established CPPA would not be able to promulgate final regulations by the July 1, 2022 deadline. Working backward from that deadline, and accounting for the time necessary for approval of the regulations by the California Office of Administrative Law and the required public comment periods, the initial draft of the regulations would need to be published no later than December 2021.
The CPPA currently consists of five Board members plus one part-time staff member. For comparison, when the California Attorney General handled the rulemaking under the CCPA, there were as many as ten fulltime staff members dedicated to the process and it still took over a year to complete. Indeed, given the tight timeline, several Board members floated ideas for backup plans—including a statutory amendment allowing more time and affording businesses a grace period to implement the regulations if they are approved at the last minute.
In addition, the Board made it clear that it will seek public comment as early as possible—particularly regarding aspects of the CPRA that are entirely new or a substantial departure from the CCPA. Notably, the Board established three new subcommittees on rulemaking:
- A subcommittee dedicated to rules that are entirely new under the CPRA (such as cybersecurity audits, risk assessments, and automated decision-making);
- A subcommittee focused on updates to rules that currently exist in some form under the CCPA but may be different under the updated statute; and
- A subcommittee to advise on the rulemaking process itself (including coordinating hearings and recommending additional rules).
Invitation to Comment on the CPRA Regulations
As it begins the rulemaking process, the CPPA is seeking input from stakeholders in developing the regulations. In conjunction with the Invitation for Comment, the Board announced plans to hold a series of informal hearings at the outset of the rulemaking process. Although the public is invited to submit comments related to any of the topics on which the CPPA has rulemaking authority, the CPPA is particularly interested in receiving comments on the topics listed below:
- Processing that presents a significant risk to consumers’ privacy or security, including cybersecurity audits and risk assessments performed by businesses;
- Automated decision-making;
- Audits to be performed by the CPPA;
- Consumers’ right to delete, right to correct, and right to know;
- Consumers’ rights to opt out of the selling or sharing of their personal information, and to limit the use and disclosure of their sensitive personal information;
- Additional issues relating to sensitive personal information;
- Information to be provided in response to a consumer’s request to know; and
- Regulations needed “to create or update definitions of important terms and categories of information or activities covered by the statute.”
The CPPA’s Invitation for Comment includes detailed sub-topics under each of the above categories covering 34 additional issues important to the regulations. For example:
- “What activities should be deemed to constitute ‘automated decision-making technology’ and/or ‘profiling’?”
- “What constitutes ‘sensitive personal information’ that should be deemed ‘collected or processed without the purpose of inferring characteristics about a consumer’ and therefore not subject to the right to limit use and disclosure”? and
- What regulations, if any, “should be adopted to further define ‘dark patterns’”?
For businesses conducting gap assessments to identify the areas in which their current CCPA compliance programs may not sufficiently meet the requirements under the CPRA, the Invitation for Comment should provide a good baseline for determining the data processing activities that may be impacted by the new regulations.
As we saw with the CCPA rulemaking process, businesses now have an opportunity to be on the ground floor as the new Agency begins drafting new regulations. Businesses with an interest in providing examples to show the CPPA how certain regulations would negatively or positively impact business should consider submitting comments as part of this information gathering phase.
BakerHostetler’s Digital Assets and Data Management (“DADM”) Practice Group will continue to monitor the CPRA rulemaking process. Subscribe to our Data Counsel blog and visit our Consumer Privacy Resource Center for additional information and further updates.
We also want to highlight that the Privacy Law Section of the California Lawyers Association is hosting a fireside chat with the CPPA Board Chairperson, Jennifer Urban, on October 5, 2021 (RSVP here).