Privacy Law

CPPA Releases Notice of Proposed Regulatory Action Implementing New Consumer Privacy

By Andrew Scott

July 2022

On July 8, the California Privacy Protection Agency (CPPA) started the formal rulemaking process to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), which amended the California Consumer Privacy Act (CCPA).

With a goal of strengthening consumer privacy, the proposed regulations aim to do three things:  (1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.”  Regarding the third point, CPPA’s Executive Director Ashkan Soltani has explained one of the goals is to improve readability of the regulations by centralizing all of the definitions and other subject areas in one area rather than being spread all over the place. 

Below, there are further details on the following:  availability of rulemaking file, sections affected by the rulemaking, the written comment period, the effect of the proposed rulemaking, what is not included in the proposed rulemaking, public hearing details, anticipated benefits of the proposed regulations, disclosures regarding the proposed actions, consideration of alternatives, and contact persons.

Availability of Statement of Reasons, Text of Proposed Regulations and Rulemaking File

A copy of the proposed regulations and supporting documents can be found on the Agency’s website at https://cppa.ca.gov/regulations/consumer_privacy_act.html.

The rulemaking file consists of the Notice, the Text of Proposed Regulations, the Initial Statement of Reasons (ISOR), and any information upon which the proposed rulemaking is based.  The entire rulemaking file is available for inspection and copying throughout the rulemaking process upon request to the contact persons (listed below).  This information is available on the CPPA’s website at https://cppa.ca.gov/regulations/.  If you would like to receive notifications regarding rulemaking activities, you may subscribe to the CPPA’s email list here.  

With regard to the proposed regulations, text that is added is underlined.  The ISOR is a summary of specific sections, and the document explains the necessity of each revision (an element looked for by the Office of Administrative Law).   The ISOR provides insight into the intent of the agency and includes reflection from the CPPA on the nearly 900 pages of public comments and expert advice received on specific topic areas.  Acting General Counsel Brian Soublet has referred to the ISOR as a great primer for the proposed regulations.

It should be noted that the proposed draft regulations were not leaked.  As explained in our Section’s fireside chat hosted by Jeewon Serrato on June 30, 2022, Mr. Soltani and Mr. Soublet explained that because the Bagley-Keene Open Meeting Act applies to CPPA’s board meetings, the CPPA, like any board or commission of a state entity, has to conduct its business with open availability.  So, any time the majority of the board is meeting to deliberate on an issue, it has to be noticed and open to the public, which means the draft-rules or draft-statement of reasons will probably have to be proposed and noticed every time before a decision is made. 

Sections Affected by the Rulemaking

The CPPA proposes to amend sections 7000, 7001, 7010, 7011, 7012, 7013, 7016, 7020, 7021, 7022, 7024, 7026, 7028, 7050, 7060, 7061, 7062, 7063, 7070, 7071, 7072, 7080, 7081, 7100, 7101, and 7102, adopt sections 7002, 7003, 7004, 7014, 7015, 7023, 7025, 7027, 7051, 7052, 7053, 7300, 7301, 7302, 7303, and 7304, and repeal section 7031 of title 11, division 6, chapter 1 of the California Code of Regulations concerning the California Consumer Privacy Act.

Written Comment Period

The CPPA has invited “any interested person or their authorized representative may submit written comments relevant to the proposed regulatory action. The written comment period closes on August 23, 2022, at 5:00 p.m. Only written comments received by that time will be considered. 

Submissions may be made via electronic means or hand letters.  Via electronic means, comments may be submitted electronically to regulations@cppa.ca.gov.  Please include “CPPA Public Comment” in the subject line.  If a comment is being submitted via mail, please send to the following:

California Privacy Protection Agency
Attn: Brian Soublet
2101 Arena Blvd., Sacramento, CA 95834
(279) 895-6083

The CPPA notes that written and oral comments, attachments, and associated contact information (e.g., address, phone, email, etc.) become part of the public record and can be released to the public upon request.” 

In the fireside chat on June 30, Mr. Soublet and Mr. Soltani stated that comments should be in an attachment to an email and to not include any personal information. Mr. Soublet noted that unhelpful comments include criticism and requests to take actions to make changes to the statues.  The CPPA will respond to every comment. 

After the Comment Period Ends

The CPPA will analyze “all timely and relevant comments received during the 45-day public comment period.”  The CPPA has the choice of either adopting the regulations substantially or making modifications based on the comments.

Any modifications made must be “sufficiently related to the originally-proposed text.”  The modified text will be available to the public for at least 15 days before the CPPA adopts the regulations as revised. Requests for copies of any modified regulations may be sent to the attention of the contact.   The CPPA will accept written comments on the modified regulations for 15 days after the date on which they are made available. 

Upon the completion of the regulations, a Final Statement of Reasons will be available on the CPPA’s website:  https://cppa.ca.gov/regulations/.

Effect of Proposed Rulemaking

The CPPA “is directed to adopt regulations to further the purposes of the Act, including promulgating regulations on 22 specific topics.” (§ 1798.185). Specifically, the proposed regulations aim to establish the following:

  • Rules defining notified purpose limitations on which a business’ data practices are consistent with consumers’ expectations. (§ 1798.185, subd. (a)(10).);
  • Rules, procedures, and any exceptions necessary to ensure that required notice of a businesses data practices under the CCPA are provided in a manner that may be easily understood by the average consumer (§ 1798.185, subd. (a)(6).);
  • Rules and procedures to facilitate and govern the submission of a consumer’s request to opt-out of sale/sharing and request to limit and a business’s compliance with the request. (§ 1798.185, subd. (a)(4).);
  • Rules and procedures to ensure that consumers have the ability to exercise their choices without undue burden and to prevent businesses from engaging in deceptive or harassing conduct. (§ 1798.185, subd. (a)(4).);
  • Rules and procedures to facilitate a consumer’s right to delete, correct, or obtain personal information. (§ 1798.185, subd. (a)(7).);
  • Rules on the right to request a correction. (§ 1798.185, subd. (a)(8).);
  • Procedures on how to extend the 12-month period of disclosure of information after a verifiable consumer request pursuant to section 1798.130, subdivision (a)(2)(B). (§ 1798.185, subd. (a)(9).);
  • Defining the requirements and specifications for an opt-out preference signal. (§ 1798.185, subd. (a)(19)(A) & (B).);
  • Establishing regulations governing how businesses respond to an opt-out preference signal where the business has elected to comply with section 1798.135, subdivision (b). (§ 1798.185, subd. (a)(20).);
  • Establish regulations governing the use or disclosure of a consumer’s sensitive personal information. (§ 1798.185, subd. (a)(19)(C).);
  • Defining and adding to the business purposes for which businesses, service providers, and contractors may use personal information consistent with consumer expectations, and further define the business purposes for which service providers and contractors may combine personal information. (§ 1798.185, subd. (a)(10).);
  • Identifying the business purposes for which service providers and contractors may use consumers’ personal information pursuant to a written contract with a business, for the service provider or contractor’s own business purpose. (§ 1798.185, subd. (a)(11).);
  • Establishing procedures for filing complaints with the Agency (§ 1798.199.45) and procedures necessary for the Agency’s administrative enforcement of the CPRA. (§ 1798.199.50);
  • Define the scope and process for the exercise of the Agency’s audit authority as well as the criteria for selecting those that would be subject to an audit. (§ 1798.185, subd. (a)(18).); and 
  • Harmonize regulations governing opt-out mechanisms, notices, and other operational mechanisms to promote clarity and functionality. (§ 1798.185, subd. (a)(22).)

What is not Included:

The CPPA “will not be promulgating rules on cybersecurity audits (§ 1798.185, subd. (a)(15)(A)), risk assessments (§ 1798.185, subd. (a)(15)(B)), or automated decisionmaking technology (§ 1798.185, subd. (a)(16)) at this time. These areas will be the subject of a future rulemaking and are not within the scope of this Notice of Proposed Rulemaking.” 

In our fireside chat, Mr. Soublet and Mr. Soltani indicated that although these topics are not addressed in this iteration of rulemaking, these topics will be addressed at a timeline unknown.  Moreover, it seems likely that rulemaking will continue after the January 1, 2023, deadline. 

Public Hearing Details

The CPPA will hold a public hearing to provide an opportunity to present statements or arguments, either orally or in writing, with respect to the proposed regulations, at the following dates and time at the physical location identified below and via Zoom video and telephone conference:

Dates: August 24 and 25, 2022

Time: 9:00 a.m. Pacific Time

Location:    

Elihu M. Harris State Building
1515 Clay Street
Oakland, CA 94612
Auditorium (1st floor)

To join this hearing by Zoom video conference:  https://cppa-ca-gov.zoom.us/j/89421145939

 Or Telephone:

USA (216) 706-7005 US Toll
USA (866) 434-5269 US Toll-free
Conference code: 682962

The CPPA requests that members of the public who wish to speak at the hearing should RSVP in advance on the Agency’s website at https://cppa.ca.gov/regulations/

Of note, Mr. Soltani has stated that it will be much easier to join the Zoom meeting than to drive-up to Sacramento.

Further, the public hearings will be transcribed. 

Anticipated Benefits of the Proposed Regulations

Operationalizing the CPRA Amendments – The CPPA stated that the proposed regulations provide comprehensive guidance on how to implement and operationalize new consumer privacy rights and other changes to the law introduced by the CPRA amendments to the CCPA. 

Helping Consumers and Businesses  – With the goal of strengthening consumer privacy, the CPPA stated that it proposed regulations “that support innovation in pro-consumer and privacy-aware products and services while also helping businesses efficiently implement privacy-aware goods and services. (Id., § 3(C)(1) & (5).) The proposed regulations take into consideration how privacy rights are being implemented in the marketplace presently and build upon the development of privacy-forward products and services.”

Harmonizing with Other Jurisdictions:  The CPPA stated that the “proposed regulations take into consideration privacy laws in other jurisdictions and implement compliance with the CCPA in such a way that it would not contravene a business’s compliance with other privacy laws, such as the General Data Protection Regulation (GDPR) in Europe and consumer privacy laws recently passed in Colorado, Virginia, Connecticut, and Utah. In doing so, it simplifies compliance for businesses operating across jurisdictions and avoids unnecessary confusion for consumers who may not understand which laws apply to them.”  

With respect to other state or federal laws, The CPPA went on to say that it has “determined that these proposed regulations are not inconsistent or incompatible with existing State regulations” and that “[t]here are no existing federal regulations or statutes comparable to these proposed regulations.”

Disclosures Regarding the Proposed Actions

The CPPA disclosed many initial determinations it had made, including the following:

  • There are no mandates on local agencies or school districts;
  • There is no fiscal impact anticipated on the CPPA; 
  • There may be an impact to the Department of Justice’s (DOJ) expenditures for enforcement because the DOJ is currently enforcing CCPA and maintains civil enforcement authority;
  • There is no cost to any local agency or school district; 
  • Estimating that the proposed regulations will have a cost impact of $127.50 per business, representing “the labor cost of updating certain website information to comply with the proposed regulations.”;
  • There is no significant, statewide adverse economic impact directly affecting businesses, including ability to compete: “The Agency has made an initial determination that that the proposed action will not have a significant, statewide adverse economic impact directly affecting businesses, including the ability of California businesses to compete with businesses in other states”; 
  • Conclusions from the Economic Impact Assessment (EIA)  include “ (1) unlikely that the proposal will create or eliminate jobs within the state, (2) unlikely that the proposal will create new businesses or eliminate existing businesses within the state, (3) unlikely that the proposal will result in the expansion of businesses currently doing business within the state”;  
  • Business report requirement: Section 7102 requires businesses collecting large amounts of personal information to annually compile and disclose certain metrics. The CPPA proposes to amend section 7102 to require these businesses to additionally disclose information about requests to correct and requests to limit. 
  • Small business determination: The Agency has determined that the proposed action affects small businesses

Consideration of Alternatives

The CPPA determined that the proposed regulations are the most effective way to operationalize the CPRA amendments to the CCPA.  The CPPA considered a more stringent regulatory requirement and a less stringent regulatory requirement.  Interestingly, the less stringent regulatory alternative would, among other things, allow limited exemption for GDPR-compliant firms. Limitations would be specific to areas where GDPR and CCPA conform in both standards and enforcement, subject to auditing as needed.”  The CPPA rejected The Agency rejects this regulatory alternative because of key differences between the GDPR and CCPA. 

Contact Persons

Inquiries concerning the proposed administrative action may be directed to: 

California Privacy Protection Agency
Attn: Brian Soublet
2101 Arena Blvd., Sacramento, CA 95834
(279) 895-6083
regulations@cppa.ca.gov

Or

California Privacy Protection Agency
Attn: Von Chitambira
2101 Arena Blvd., Sacramento, CA 95834
(279) 895-1412
regulations@cppa.ca.gov


Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.

Payment