On December 16, 2022, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics, such as the CPPA’s advocacy regarding proposed federal and state privacy legislation.
Status of Draft Regulations and Timeline
The CPPA anticipates posting in late January or early February 2023 a final version of the modified proposed regulations released on November 3, 2022. The final version will incorporate any changes resulting from a second round of public comment. If there are no further modifications or delays, the finalized set of regulations could go into effect around April 2023.
New Rulemaking Activities on Risk Assessments, Cybersecurity Audits and Automated Decisionmaking
The CPRA law calls for regulations regarding risk assessments, cybersecurity audits and automated decisionmaking, including profiling, but the CPPA has not yet issued these regulations in draft form. For this rulemaking, a new CPPA rules subcommittee introduced proposed topics and questions to the CPPA Board for proposed preliminary rulemaking activities to occur in early 2023.
The proposed topics for the preliminary rulemaking include:
- Privacy and security risk assessments: relevant existing laws and requirements; the persons susceptible to harm; factors for determining risk; requirements for automated decisionmaking including profiling; models for submitting risk assessments, including whether the CPPA should follow the approach outlined in the European Data Protection Board’s Guidelines on Data Protection Impact Assessment; and application to businesses with less than $25 million in annual gross revenues;
- Cybersecurity audits: relevant existing laws and best practices for cybersecurity audits, assessments and evaluations; and processes that help to ensure that these practices are thorough and independent; and
- Automated decisionmaking, including profiling: relevant existing laws, requirements, frameworks and best practices; the prevalence of algorithmic discrimination and how access and opt-out rights can address the issue; implementing access and opt-out rights in different sectors or industries; and providing more specificity regarding “meaningful information” about the logic involved in automated decisionmaking.
As anticipated, the questions for this preliminary rulemaking would be finalized at a later CPPA Board meeting and released for public comment, which would inform further rulemaking activities.
Other Items: CPPA Advocacy Regarding Proposed Federal and State Legislation
The CPPA released a memo outlining recommended steps for the CPPA to take a position on introduced legislation, whether state or federal, and put forward legislative proposals to California lawmakers. The recommendations follow the steps the CPPA took in opposing the American Data Privacy and Protection Act, H.R. 8152, which, the CPPA highlights, “seeks to preempt nearly all provisions of the California Consumer Privacy Act of 2018, as amended.”