The California Privacy Rights Act (CPRA) significantly expanded the California Consumer Privacy Act (CCPA) as of January 1, 2023, but companies are still awaiting the updated regulations. On Friday, February 3, 2023, the California Privacy Protection Agency Board (CPPA) reported significant progress toward finalizing its update of the current CCPA regulations, and kicked off the process for developing additional regulations required by the CPRA.
Updated CCPA Regulations
The CPPA (a new agency established to implement and enforce the CCPA) has been working to finalize updates to the existing CCPA regulations, in order to effectuate changes made by the CPRA. After many months of effort, the CPPA has now unanimously passed the current draft version of the updated regulations, available here, for submission to the Office of Administrative Law (OAL), which is the final stage of approval in the rulemaking process. Once the OAL receives the submission, the OAL will have up to thirty business days to review and approve, or disprove, the regulations. Pending OAL approval, it appears that the current draft version may be the form of the final regulations.
Separately, the CPRA requires creation of additional new regulations in a number of areas, as we previously reported. This brings us to the second major update from the CPPA, as discussed below.
Preliminary Requests for Comments for Additional Rulemaking on Risk Assessments, Cybersecurity Audits, and Automated Decision-Making
Rulemaking efforts are hardly over, as the CPPA next turns its attention to rulemaking on three new areas: risk assessments, cybersecurity audits, and automated decision-making. The CPPA is inviting public comment on these topics but notes that this will not commence a formal rulemaking process. Rather, these preliminary requests for comment serve as an opportunity for information gathering on these specific issues. Stakeholders are not limited to providing comments in response to the questions identified by the CPPA, but notable questions include:
- In addition to any legally-required cybersecurity audits what other cybersecurity audits, assessments, or evaluations that are currently performed, or best practices, should the Agency consider in its regulations for CCPA’s cybersecurity audits pursuant to Civ. Code § 1798.185(a)(15)(A)?
- What harms, if any, are particular individuals or communities likely to experience from a business’s processing of personal information? What processing of personal information is likely to be harmful to these individuals or communities, and why?
- What minimum content should be required in businesses’ risk assessments?
- How have businesses or organizations been using automated decisionmaking technologies, including algorithms? In what contexts are they deploying them? Please provide specific examples, studies, cases, data, or other evidence of such uses when responding to this question, if possible.
- How prevalent is algorithmic discrimination based upon classifications/classes protected under California or federal law (e.g., race, sex, and age)? Is such discrimination more pronounced in some sectors than others?
The CPPA’s decision to formally release its request for comments was also passed with unanimous approval from all board members. Further information regarding comment submissions will be posted on the CPPA’s website, available here, and the specific questions posed by the CPPA are available here.