CPRA Rulemaking Process Officially Begins
As discussed in last month’s edition of the Technology & Intellectual Property Update, the California Privacy Protection Agency the (“Agency”) released CPRA draft regulations in late May that would promulgate the amendments made to the California Consumer Privacy Act (“CCPA”) by the California Privacy Rights Act (“CPRA”). On July 8th, the Agency began the formal rulemaking process to establish the draft regulations covering a handful of the regulatory topics the Agency set out to address, including personal data collection and use restrictions, mandatory user opt-out signal acknowledgement, and privacy notice requirements.
The Agency’s filing of the Notice of Proposed Rulemaking triggers a minimum 45 day public comment period. Consistent with that timeframe, the Agency stated that it will accept written comments until August 23, 2022. The Agency will hold public hearings on August 24 and 25, 2022.
The timeframe for finalizing the regulations will depend on how quickly the Agency can consider public comments and to what extent it modifies the regulations in response. If the Agency makes major changes to the proposed regulations, it must initiate another 45 day comment period. If the Agency makes substantial and sufficiently related changes, it must initiate a 15 day comment period. If it makes no changes or non-substantial and sufficiently related changes, it does not have to initiate another comment period.
The proposed regulations seek to synchronize the existing CCPA regulations with the CPRA’s amendments and to operationalize new concepts introduced under the CPRA. The proposed regulations do not include all of the almost two dozen topics required to be addressed under the CPRA. Additional regulations covering topics including cybersecurity audits, risk assessments, and automated decision-making are expected to be released at a later date.
The Notice of Proposed Rulemaking includes commentary that shows that the Agency is considering how the regulations will interact with other privacy laws. According to the Agency, “the proposed regulations take into consideration privacy laws in other jurisdictions and implement compliance with the CCPA in such a way that it would not contravene a business’s compliance with other privacy laws, such as the General Data Protection Regulation (GDPR) in Europe and consumer privacy laws recently passed in Colorado, Virginia, Connecticut, and Utah.” However, it should be noted that the Agency rejected a regulatory alternative that would have allowed for a limited exception for GDPR-compliant businesses. Although that “approach could achieve significant economies of scale in both private compliance and public regulatory costs,” the Agency rejected it “because of key differences between the GDPR and CCPA,” including “in terms of how personal information is defined and the consumer’s right to opt-out of the sale or sharing of personal information (which is not required in the GDPR).”