Privacy Law

CPPA has a “Big Day” as Board Adopts Proposed CCPA Regulations; Looks Toward Future Rulemaking

Please share:

By Andrew Scott

On February 3, 2023, the Board of the California Privacy Protection Agency (the Agency) voted unanimously in favor of approving the text of the proposed CCPA regulations.  This vote finalized the Agency’s first rulemaking package after a robust and lengthy rulemaking process.  Given that the Agency is the country’s first and only dedicated privacy regulator, the importance of the monumental moment in finalizing this regulator’s first rulemaking package was captured perfectly at the meeting by Chairperson Jennifer Urban:  “This is a big day.” 

This rulemaking process began in October 2021 when the Agency solicited preliminary written comments from the public.  Then, the Agency held informational sessions (March 2022) and stakeholder sessions (May 2022).  With this background, the Agency commenced the formal rulemaking process to adopt regulations to implement the Consumer Privacy Rights Act of 2020 (CPRA) by putting out an initial rulemaking package on July 8, 2022, triggering a 45 day written comment period.

In light of the public comments to the proposed regulations, the Agency put together proposed modifications to the regulations.  At the meeting held on October 29th, the Board reflected on the proposed modifications and considered other changes.  On November 3, the proposed modified regulations were released, triggering a 15 day comment period.

At the meeting on February 3, Lisa Kim, the Agency’s new Senior Privacy Counsel and Advisor, said the substance of the final proposed regulations did not change from the modified regulations.  She said the Agency’s staff received 50 letters and over 450 pages of comments, which were either reiterating those comments made either during the previous 45 day period or in support of the modified regulations. 

The final text contains two colors:  blue and red.  The blue edits reflect additions made to the regulations from the text that was proposed on July 8, 2022; the red edits reflect deletions from the original text.  The final package also includes a Final Statement of Reasons (FSOR). 

Of note, California Administrative Procedure Act requires an analysis of the economic impact the regulations could have (Form 399).  The Agency included an addendum to Form 399 to provide a greater explanation and detail of specific regulations that could have an economic impact, isolating costs of certain parts of the statute. 

Now, the Agency’s staff will prepare the final rulemaking package to submit to the Office of Administrative Law (OAL).  The OAL will have 30 business days (~45 calendar days) to approve or disapprove of this final package.  If accepted, the CPPA’s target date of the regulations being effective in April is still within reach.  If the OAL disapproves of the regulations, text revisions may be made through a 15 day comment process issued by the Board. 

It is uncertain whether the OAL will approve the regulations as they are proposed. It was mentioned by staff at the February 3 meeting that the OAL will likely say there are issues with the final regulations.  If there are compliance issues, the OAL will notify the Agency before a final determination is made.  In order to ensure compliance with the APA, the Board included in its unanimous vote to authorize the CPPA’s staff to withdraw the rulemaking in whole or in part, at any time, if the legal risks would warrant further considerations from the Board.

Finally, the CPPA will continue with further rulemaking.  First, the staff said it has been cataloging feedback it has received from the Board on future topics for further rulemaking, but a complete list was not made known (a public comment requested that this list be made available).  It is likely that the list will include such topics as those surrounding Section 7002, sensitive personal information, dark patterns, and employee data. 

The day concluded with the Board approving a draft invitation for comments on proposed rulemaking for Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking.  The purpose of putting out this invitation is for the Agency to receive stakeholder input and information gathering for this rulemaking.  

Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.