The Board of the California Privacy Protection Agency (CPPA) approved a rulemaking package covering Sections 7000–7304 of their draft regulations on February 3, 2023. The board also initiated preliminary rulemaking activities for risk assessments, cybersecurity audits, and automated decision-making. In approving the rulemaking package, the CPPA did not make substantive changes to the version of its draft regulations published in October 2022, indicating that any changes following from the more than 400 pages of public comment analysis could be advanced in future rulemaking activities.
Below we summarize the key takeaways from the latest board meeting and highlight next steps.
A. The Research Exception is Postponed for Another Day
While the board ultimately reached a unanimous decision, board member De La Torre raised concerns with Section 7002 regarding the lack of research and other exemptions. She echoed negative public feedback questioning whether California would benefit from a rule that is more stringent in this respect than the General Data Protection Regulation (GDPR). In particular, she noted the extent to which such a rule could undermine California’s central role in fostering innovation. Chairperson Urban conceded that this issue could be taken up in subsequent rulemaking processes, but no such changes will be made to the rulemaking package before it is sent to the California Office of Administrative Law (OAL).
B. What’s Next for Cyber and AI?
As it did with the first round of public comments, the CPPA indicated that it will begin its second round of comments, covering cybersecurity, automated decision-making, and risk assessments. These will not begin with draft regulations, but with broad questions sourced from public input that will form the basis of a future draft rule on these topics.
C. Timeline and Next Steps
Though the CPPA did not provide any firm dates for the finalization of the amendments to the CCPA, it summarized next steps and a high-level timeline for the rulemaking package following the approval. Over roughly the next two weeks, the CPPA will finalize the rulemaking package and submit it to the OAL, which will review it for conformance with state administrative procedure laws; the OAL will conduct the review, which is expected to take 30 business days (or about 45 calendar days), after which it may approve the final rule.
D. Getting Ready
Assuming that the OAL does not identify any changes that require additional administrative procedures, businesses should be prepared to comply with amendments to the CCPA as soon as this summer. If past precedent applies, the rulemaking package is likely to substantially reflect the contents of the final rule; substantive changes are unlikely to result from the OAL review. Advanced preparations to comply with the changes reflected in the rulemaking package are particularly critical, since the 30-day cure period provided by the CCPA expired on January 1, 2023, when the California Privacy Rights Act (CPRA) amended the CCPA.
Additionally, given the broad range of topics addressed in the CPPA’s questions and the potentially significant impact of rules covering risk assessments, cybersecurity audits, and automated decision-making, businesses should stay tuned for the associated comment period. The questions broadly address the following:
- Restrictions on automated decision-making, up to and including a consumer opt-out right.
- Government access rights over the logic used in algorithmic decision-making processes.
- Requirements to conduct cybersecurity audits that are not reflected in the law today.
Depending on the substance of comments received and the direction of subsequent rulemaking procedures, these topics could lead to new compliance requirements and significant restrictions on businesses that rely on algorithmic decision-making.
Our Chambers-ranked Privacy & Security team will monitor upcoming developments and collaborate with our clients to ensure their concerns are heard as the CPPA moves forward with the rulemaking processes.