CPPA Board Approves Proposed Modifications; 15 Day Comment Period Triggered

By Andrew Scott

On Thursday, November 3, 2022, the California Privacy Protection Agency (CPPA) noticed modifications (and additional documents and other information relied upon) to the text of the proposed regulations, triggering a 15-day comment period that closes on Monday, November 21, 2022, at 8am. 

The proposed modifications arrived shortly after the Board concluded a two-day meeting that took place on October 28-29, in which the Board unanimously passed a motion that directed the Agency’s Staff to take all steps necessary to prepare and notice the modifications.  Accordingly, the proposed modifications incorporate the Board’s directions from the motion, which is included below: 

Board Requested for Further Modifications:

• 7002:  The Board directed the Staff to clarify language about a consumer’s expectation with regard to the examples set forth in 7002(b), to remove the word “factors,” and to clarify language regarding the “consumer.”

• 7025:  The Board directed the staff to clarify language that opt-out preference signals should also apply to pseudonymous profiles, e.g., consumer profiles associated with the browser or device. Additionally, the Board made clear when a business may ignore an opt-out request from a consumer in a financial incentive program.

• 7027(m):  In light of the expired HR data exemption, the Board observed a need to address the collection and use of sensitive personal information as a business purpose. Board members Mactaggart and De la Torre championed for the insertion of language stating that the use and disclosure of sensitive personal information shall be reasonably necessary and proportionate to achieve the purposes listed within 7027. 

Additional Regulation on Enforcement Guidance

Before the Board heard public comments on Sunday, October 29, Board Member Vinhcent Le brought forth a concern about the July 1st enforcement date not providing enough runway for companies to comply with the final regulations. The Board shared similar observations about the enforcement timeline, but observed that date is set by statute, leaving little room to circumvent the date.

Agreeing with Mr. Le, Chairperson Urban recognized that the business community has valid concerns, and it would make sense to provide guidance with how to approach this issue; however, she noted the Agency cannot issue guidance without going through the regulatory process. 

The Board requested the Staff to create a new regulation to take into consideration the businesses community’s need for more time to implement the regulations before the July 1, 2023, enforcement date.  This direction has been implemented into a new regulation–Section 7301(b):

As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.

Timing

The soonest the proposed regulations could be finalized is late January 2023. It is unlikely that this date will be met because the CPPA indicated that further modifications will be needed.

HR Data

It appeared that the Board considers employee/HR data to be very complex and noted that this matter would not be sufficiently addressed in the current rulemaking. Several times, the Board observed that employee/HR data might be included in a future rulemaking package.