This year, the blossoming of spring is accompanied by a pair of noteworthy California Privacy Protection Agency (CPPA) updates. First, on March 8, the CPPA and staff convened to discuss new draft regulations related to automated decision-making technology (ADMT) and risk assessments, as well as updates to existing California Consumer Privacy Act (CCPA) regulations. Second, on April 2, the Enforcement Division of the CPPA released its first-ever “Enforcement Advisory,” which “share[s] observations from the [CPPA’s] Enforcement Division to educate and encourage businesses to comply with the law.”

After a contentious meeting and the release of the Enforcement Advisory, two things are clear: (1) the timeline for the statutorily required regulations will be extended, and it is unlikely that any of the draft proposed regulations will be finalized for public comment prior to at least July 2024, and (2) the CPPA will enforce the CCPA and existing regulations even if all regulations are not finalized.

Status of Draft Regulations as per the March 8 Meeting

In a unanimous vote in its March 8 meeting, the board of the CPPA (the Board) advanced the updates to existing regulations under the CCPA, moving them closer to but not into formal rulemaking. These proposed updates include, among other changes, defining “Sensitive Personal Information,” changes for businesses responding to consumer rights requests, and updates to illustrative examples for businesses to follow.

However, deep disagreements among the Board arose concerning the draft regulations relating to ADMT and risk assessments. Ultimately, the Board voted 3-2 to advance the draft risk assessments and ADMT regulations, allowing staff to revise the draft regulations to address the Board’s feedback and begin the paperwork necessary to eventually file the notice of rulemaking. The split vote emerged from disagreements among board members regarding the appropriate scope of these regulations, especially regarding the scope for ADMT requirements. Although the Board voted to advance the cybersecurity draft regulations to formal rulemaking in December’s meeting, any delays in advancing the ADMT and risk assessment regulations will affect the cybersecurity regulations as CPPA staff aims to consolidate the three draft regulations into a single rulemaking package.

Because of the considerable amount of time spent discussing disagreements about the language and scope of the draft ADMT and risk assessment regulations at the March 8 meeting, the Board did not get to all of the agenda topics. However, it did announce its intended next steps and a tentative timeline. First, the Board tasked the CPPA staff with making changes to the ADMT and risk assessment draft regulations based on the discussions from the March 8 meeting. Second, the Board introduced a “roadshow” concept, where the CPPA will hold stakeholder sessions across California to engage diverse populations in the rulemaking process and will address feedback gleaned from these sessions in future versions of the draft regulations. Whether this roadshow concept will mirror the California attorney general’s public hearings regarding the original CCPA regulations remains to be seen. Third, the Board announced a tentative timeline, aiming to initiate the rulemaking procedures for the risk assessment, ADMT, and cybersecurity regulations in July 2024, at the earliest.

April 2 Enforcement Advisory

On April 2, the CPPA Enforcement Division issued an Enforcement Advisory focused on data minimization, including as it relates to consumer requests. The Enforcement Division stressed that Enforcement Advisories do not constitute regulations, interpretations of the law, or legal advice. Rather, the advisories offer observations gleaned from the Enforcement Division’s enforcement efforts.

Specifically, the Enforcement Division observed that “certain businesses are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.” In its Enforcement Advisory, the Enforcement Division (i) reiterates the relevant portions of the CCPA statutes and applicable regulations and (ii) applies data minimization practices to two hypothetical scenarios where consumers request to opt out of sales/sharing and make deletion requests, respectively.

Throughout the Enforcement Advisory, the Enforcement Division stresses that businesses should ask themselves four questions to guide their data minimization practices and ensure that data collection is not disproportionate or excessive:

  • What is the minimum amount of personal information necessary to achieve a given purpose (e.g., to honor a request to opt-out of sale/sharing or deletion request)?
  • When a business already has certain personal information from a consumer, does it need to ask for more personal information to achieve the stated purpose (e.g., to respond to the request)?
  • What are possible negative impacts if the business collects additional personal information?
  • Could additional safeguards be placed to address any possible negative impacts?

Overall, the release of this Enforcement Advisory indicates a shift in how the CPPA plans to publicize ongoing guidance. Indeed, the CPPA specifically stated that Enforcement Advisories will be “released periodically throughout the year, and as needed in response to trends.” It is therefore anticipated that further guidance will come from future Enforcement Advisories.

* * * * *

The draft regulations include many provisions that companies may want to comment on. Perkins Coie has been involved in rulemaking since the CCPA was passed and will continue to assist clients seeking practical changes to the draft regulations.

In the meantime, businesses should take this opportunity to consider reviewing their data collection and minimization practices in light of new guidance.