On Friday, February 3, 2023, the California Privacy Protection Agency (the “CPPA”) Board (the “Board”) approved draft regulations issued under the California Consumer Privacy Act, as amended and expanded by the California Privacy Rights Act (together, the “CCPA”). The draft regulations will now go through review by the Office of Administrative Law (the “OAL”), the final step in the rulemaking process before the regulations are scheduled to take effect. The draft agreed upon by the Board is in substantially the same form as the draft regulations published in November 2022 with only minor grammatical and stylistic changes. As such, the draft regulations will have a significant impact on many businesses if approved, adding specifics around the CCPA’s proportionality requirements, contracts with service providers and other third parties, opt-out preference signals, and processes for responding to data subject rights requests. In the same meeting, the Board also requested public comment on topics that are likely to be covered in a new set of regulations from February 10, 2023, through March 27, 2023.
The Board unanimously approved the draft, which should be submitted to the OAL within the next two weeks. After the OAL receives the submission, it will have up to 30 business days to approve or reject the proposal. The OAL may also identify issues that require revisions. Given the current time frame, it is anticipated that the final rules may go into effect in April 2023.
For many businesses, the regulations could have a significant impact on day-to-day data processing. Among other things, they implement the CCPA’s restrictions on the collection and use of personal information, which will require businesses to assess whether its data uses are consistent with the “reasonable expectation” of the consumers whose data is collected. The regulations also contain prohibitions around the use of so-called “dark patterns” that might lead consumers to exercise fewer “privacy-protective” options when submitting rights requests or consenting to data processing. They add additional details around required contractual terms with service providers and other third parties and will expressly require recognition of opt-out preference signals sent in formats “commonly used and recognized by businesses.”
The Board is also beginning to focus on three new areas for rulemaking. On February 10, 2023, the Board issued an Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. Comments must be submitted by 5:00 p.m. PT on Monday, March 27, 2023. Some of the specific questions asked involve the scope of existing audit requirements and how they should relate to any requirements issued by the CPPA, the privacy risks that should trigger audit, and risk assessment requirements and the content of such assessments. The Board is also seeking comment on how “automated decisionmaking” should be defined and how privacy rights could help to combat the algorithmic discrimination that may result from such automated decisions.