The California Privacy Protection Agency (CPPA) released a statement on March 30, 2023, announcing that the California Office of Administrative Law (OAL) had approved the first substantive rulemaking package for the California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA). As a result of this, the CCPA regulations in this rulemaking package are finalized and, according to their terms, effective immediately.
Rulemaking Process and Results
For those following the CPPA’s rulemaking process, the final version of the first rulemaking package—which is anticipated to be posted on the CPPA’s website here in early April 2023 once processed—will look very familiar. Indeed, the CPPA announced that the regulations “have not changed substantively since the [CPPA] Board voted on modifications made at its October 29, 2022 meeting.” Members of Perkins Coie’s Privacy and Security practice previously analyzed the most recent revisions to the regulations here.
While six states have passed broad consumer privacy legislation over the past five years (with Iowa as the most recent), only two directed the promulgation of regulations (California and Colorado). The now final CCPA regulations—which are “effective immediately”—provide businesses, service providers, third parties, contactors, and other entities within scope of the law with more specific direction on the implementation of the CCPA. This direction includes among other things: (1) requirements on the contents of privacy policies and other required disclosures, (2) provisions relating to noticing and responding to requests for correction and deletion, as well as to knowing about the processing of personal information, and (3) instructions concerning obligations that must be included in data processing agreements between entities within scope of the CCPA that process, share, or sell personal information. The regulations also include detailed guidance on noticing and complying with the right to opt out of sales/sharing and preference signals, limiting use of sensitive personal information, and use of cross-contextual behavioral advertising technology. In short, the regulations supplement and add to the compliance requirements for CCPA, and companies should review the regulations for a full understanding of obligations related to CCPA compliance.
This announcement caps off a process that began with the November 2020 election, when California voters passed Proposition 24 establishing the California Privacy Rights Act. The rulemaking process was originally scheduled to be completed by July 1, 2022. However, due to staffing constraints (including losing two CPPA Board members and replacing one), formal rulemaking did not commence until July 8, 2022, and experienced some additional delay thereafter.
The approval of these regulations heralds a new era in California’s privacy ecosystem, and the CPPA proudly announced that these regulations “harmonize” existing CCPA regulations with CPRA developments, “operationalize new rights and concepts,” and make the law “easier to follow and understand.” Ultimately, the CPPA takes the position that the new regulations “place the consumer in a position where they can knowingly and freely negotiate with a business over the business’s use of the consumer’s personal information.”
What’s On the Horizon?
The CPPA is not finished with its rulemaking responsibilities, and indeed already a second rulemaking package covering cybersecurity audits, risk assessments, and automated decision-making underwent a preliminary comment period that ended on March 27, 2023. It is anticipated that rulemaking in this area will proceed swiftly now that the CPPA is burgeoned with extra staff, including Lisa Kim, the senior privacy counsel and advisor at the CPPA and a driving force behind the regulations.
Critically for businesses, enforcement of the regulations is scheduled to begin on July 1, 2023. However, the California Chamber of Commerce filed a petition for a writ of mandate on March 30, 2022, seeking to enjoin enforcement of the regulations to allow businesses adequate time to come into compliance. In the meantime, however, according to Ashkan Soltani, the CPPA’s executive director, the CPPA is seeking to “redouble our efforts to promote public awareness of consumers’ rights and businesses’ responsibilities under the law.”
Our Chambers-ranked Privacy and Security team will continue to monitor developments and publish updates as the CPPA moves forward with the rulemaking processes.