0
CaliforniaCalifornia Privacy Protection Agency: Updates on Rulemaking Timeline, Agency Staffing, and What Privacy Practitioners Can Expect in the Months to Come

California Privacy Protection Agency: Updates on Rulemaking Timeline, Agency Staffing, and What Privacy Practitioners Can Expect in the Months to Come

On Tuesday, October 5th, Jennifer M. Urban, Board Chair of the newly formed California Privacy Protection Agency (CPPA), joined the Privacy Law Section of the California Lawyers Association for a fireside chat about CPRA rulemaking, agency staffing, and what privacy practitioners can expect in the months to come.

 

Approved through ballot proposition back in November 2020, the California Privacy Rights Act (CPRA) created the CPPA, which is the first state-level agency dedicated to consumer privacy regulation. With the CPPA having full administrative power, authority, and jurisdiction to implement and enforce the CCPA and CPRA, privacy practitioners and businesses are keeping a close eye on the new agency’s rulemaking timeline as the July 1st deadline to adopt final regulations quickly approaches.

 

The CPPA had its first public board meeting on June 14th (agenda and meeting materials available here). The agency then followed up with a two-day, public virtual meeting on September 7th and September 8th (agenda and meeting materials available here) as well as a closed session regarding hiring matters on September 24th (agenda available here).

 

Some of the topics discussed by the CPPA Board during its September 7th and 8th public meetings include: (1) the Bagley-Keene Open Meeting Act; (2) the Administrative Procedures Act; (3) other administrative updates; (4) initial hiring strategy, timelines, and duties; (5) delegations of authority for limited administrative functions; (6) the agency’s conflict of interest code; (7) member handbook drafts; (8) subcommittee assignments; (9) board office location; (10) notice to the Attorney General to assume rulemaking authority; (11) future meeting schedule; and (12) public comments.

 

In continuing with some of the above-mentioned topics, the fireside chat primarily covered the agency’s proposed rulemaking timeline, agency staffing needs, and subcommittee assignments.

 

With preliminary public comments on proposed rulemaking due by November 8th, the CPPA is looking to publish notice of proposed rulemaking, an initial statement of reasons, and text of regulations sometime in Winter 2021-2022 (aiming potentially for January 2022). In Winter/Spring 2021-2022, the CPPA is planning to hold public hearings. Furthermore, the CPPA is planning to submit draft regulations to the Office of Administrative Law by May 2022.

 

The CPPA proposes to form three new subcommittees to divide up the work: (1) New CPRA Rules Subcommittee; (2) Update of CCPA Rules Subcommittee, and (3) Rulemaking Process Subcommittee.

 

The New CPRA Rules Subcommittee will cover topics such as cybersecurity audits, risk assessments, automated decision-making, and agency audit authority. The suggested members for this subcommittee are Vinhcent Le and Lydia de la Torre.

 

The Update CCPA Rules Subcommittee will cover opt-out requests (including preference signals), accessibility, rights to erase/correct/know (look-back period, definition of “specific pieces of information obtained from the consumer, etc.), and use of PI by contractors/service providers. The suggested members for this subcommittee are Jennifer Urban and Angela Sierra.

 

The Rulemaking Process Subcommittee will coordinate pre-rulemaking and rulemaking activities (e.g., informational hearings, collection of comments, etc.), make recommendations as to whether rules are needed for certain topics, coordinate reports on the scope of privacy rules that currently apply to insurance corporations, and suggest additional topics for rulemaking and secure resources. The suggested members for this subcommittee are John Christopher Thompson and Lydia de la Torre.

 

Please see additional information regarding the agency’s proposed course of action here.

 

Economic considerations regarding the operational cost of compliance are also likely to be considered during the rulemaking process.

 

What’s next? The deadline for the adoption of final regulations is July 1, 2022. The CPRA becomes effective on January 1, 2023. The CPPA will also continue to hold meetings as the rulemaking process continues.

 

Beckage’s California Privacy Team continues to actively monitor updates to the privacy landscape as well as the impacts that new CPRA regulations will have on businesses. To learn more about the impact the CCPA and the CPRA may have on your business, reach out to our team of highly skilled attorneys.

 

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.