California Privacy Protection Agency Votes to Begin Rulemaking Process

On June 8, the California Privacy Protection Agency (CPPA) Board voted 4-0 (with one member absent) to initiate the CPRA rulemaking process based on the draft regulations released on May 27. The first set of draft rules covers specific topics including personal data collection and use restrictions, mandatory user opt-out signal acknowledgement, and privacy notice requirements. The new draft rules represent only a small number of the 22 regulatory topics that the CPPA has been tasked with regulating in Cal. Civ. Code § 1798.185(a). Details on what’s currently in the draft regulations can be found here. The initial statement of reasons for the draft regulations outline was also published in late May, providing a rationale from CPPA board and staff on why they’ve decided to implement specific areas within the draft regulations as they did. 

The next step in the process is for the CPPA staff to initiate the formal notice and comment period, where public stakeholders will have an opportunity to comment on the proposed rules. Agencies wishing to submit written comments to the draft rules can do so on the CPPA’s website, once the draft rules are published in the California Regulatory Notice Register. The initial comment period will last for at least 45 days, and the CPPA will hold a public hearing. The 4A’s will be submitting comments on several areas of concern within the regulations in partnership with the other advertising trades.

Should the CPPA make edits to the initial draft regulations, a subsequent comment period will run for 15+ days for public feedback on the revisions. The CPPA will then issue its Final Statement of Reasons and final regulations. The CPPA’s next meeting has yet to be scheduled.

The CPPA has previously said it will likely miss an initial July 1 statutory deadline to adopt regulations but has not discussed whether that deadline, and thus enforcement, will be delayed. The California Hispanic Chambers of Commerce Assistant Deputy Chief of Staff Luis Lopez called on the agency to commit to extending the enforcement deadline by six months “to give businesses time to comply.” The board indicated the delayed enforcement date topic would be placed on an upcoming meeting agenda. In February, CPPA Executive Director Ashkan Soltani said the rulemaking schedule would go “somewhat past” the July 1 deadline, with completion anticipated “in Q3 or Q4.”

The CPPA has indicated that the initial set of draft rules are not the only rules that the CPPA will issue. A second round of rulemaking may focus on automated decisionmaking, cybersecurity audits, and privacy risk assessments.  The timeline for issuance of additional rules is currently unknown.

If you have any questions about the California privacy bill, the CPRA draft regulations, or the CPPA rulemaking process, please contact Alison Pepper, Executive Vice President of Government Relations and Sustainability.