While candy sales skyrocketed and trick-or-treaters donned costumes this past Halloween weekend, the California Privacy Protection Agency (Agency) Board was busy holding its first public meeting since September. Over the course of the two-day meeting on Friday and Saturday, October 28 and 29, the Agency welcomed new board member Alastair Mactaggart and discussed and debated numerous provisions of the Modified Draft Proposed California Consumer Privacy Act Regulations (Draft CCPA Regulations). Most importantly, it unanimously passed a motion directing the Agency staff to take all steps necessary to prepare and notice modifications to the text of the proposed regulatory amendments for an additional 15-day comment period.
Below we summarize some of the most critical updates from the meeting and cover the next steps in this process. Overall, the Agency revealed that it is targeting early 2023 for releasing and approving a full and final rule-making package.
Key Proposed Modifications for Agency Consideration
Lisa Kim of the California Attorney General’s Office led the first day’s agenda, walking the Agency through modifications to the Draft CCPA Regulations (including a series of newly proposed modifications to the draft released on September 17). A large portion of the discussion revolved around proposed regulations dealing with (1) the right to limit the use of Sensitive Personal Information (SPI), (2) treatment of Opt-Out Preference Signals (OOPS), and (3) purpose limitation and data minimization.
Right To Limit the Use of Sensitive Personal Information (SPI)
As currently written, proposed regulation § 7027(m) lists the permissible purposes for which businesses can process SPI without a requirement to provide consumers with the right to limit. Board members Lydia de la Torre and Alastair Mactaggart each expressed concern with this section, mainly around whether the list would allow employers to collect and process SPI as related to diversity, equity, and inclusion purposes and whether the list was comprehensive enough. Ultimately, the board decided to put a pin in this issue and agreed that this provision was one that would require further consideration and supporting legal analysis.
Opt-Out Preference Signals (OOPS)
The board considered two issues involving proposed regulation § 7025, which deals with OOPS. First, it was concluded on the advice of staff that OOPS “should apply to pseudonymous profiles, e.g., consumer profiles associated with the browser or device.” Second, the board discussed how businesses can respond when a consumer joins a financial incentive program and subsequently sends an OOPS. The board decided that draft proposed regulation will reflect that (1) “if a business asks and the consumer does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal;” and (2) “a business shall still apply an opt-out preference signal to the browser or device, or the known consumer, if the business does not ask the consumer to affirm their intent to withdraw from a financial incentive program.”
Purpose Limitation and Data Minimization
The modified draft regulations include an almost entirely revised § 7002. Board Member de la Torre asked about the genesis of these changes and expressed concerns regarding whether all the factors in this section were mandatory for businesses to consider. In the end, the motion passed by the Agency directed the staff to contemplate several changes here, including: (1) adding “[c]larifying language about a consumer’s expectation regarding the examples set forth in [§] 7002(b);” (2) “Removal of the word ‘factors’;” (3) adding “[c]larifying language within 7002(b)(4) about the straightforwardness and ease of understanding of the disclosure”; and (4) adding “[c]larifying language regarding the ‘consumer’.”
More Regulations on the Horizon
It was reiterated in public comment that the current modified regulations do not cover all of the statutory required topics under 1798.185 (most notably, regulations related to automated decision-making). Agency Executive Director Ashkan Soltani did hint that the Agency would be engaging in other rulemaking activities soon, but did not specify timing.
Discussion of Enforcement Delay
Board Member Vinhcent Le brought up for board discussion the requirement that businesses comply with regulations that are not finalized and the possibility of delaying enforcement. Board Member Lydia de la Torre further proposed that the board consider a very narrow extension of the cure period limited to HR and B2B data. However, this was met with some pushback, as § 1798.199.45 of the CPRA already grants some discretionary authority to the Agency in its enforcement decisions. Ultimately, the board and staff tacitly agreed to include a regulation that reiterates this discretionary authority. Staff will include a proposed regulation in this upcoming draft for the 15-day comment period that follows this board guidance.
Timing and Next Steps
The million-dollar question is: when will the regulations be finalized? Agency General Counsel Philip Laird addressed this during the course of the meeting and stated that “Our goal is to have a full package by early 2023.” Further, he noted that if the board approved a motion allowing for modifications during this meeting (which they did), the target date of “early 2023” would likely be met.
The Agency staff will consider the modifications discussed at the meeting and then publish a notice of modified regulations. That will trigger a new 15-day comment period. After that, the Agency will prepare the final rule-making package for board consideration. If approved, the package will go to the Office of Administrative Law, which has 30 business days to review.