December 5, 2021

Volume XI, Number 339

Advertisement
Advertisement

December 03, 2021

Subscribe to Latest Legal News and Analysis

December 02, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

California Privacy Agency Moves Forward With Rulemaking Process

The California Privacy Protection Agency (CPPA) Board, created by the California Privacy Rights Act (CPRA), has been busy of late. As we recently reported, the CCPA has hired renowned privacy technologist Ashka Soltani as its new Executive Director to lead the agency. Meanwhile, the agency’s committees have been hard at work. The Regulations Subcommittee has proposed its framework for its rulemaking process. Notably, the subcommittee recommends an immediate start to pre-rulemaking activities such as issuing an invitation for comments, the creation of additional subcommittees, and the identification of informational hearing topics. A pre-rulemaking process gives the agency flexibility to hear from stakeholders outside of the formal and constrained process that will begin once the regulatory process officially commences. The framework also notes that the notice of proposed rulemaking, initial statement of reasons (ISOR), and text of the regulations should be published in winter 2021-2022, with public hearings taking place thereafter. This suggests that stakeholders have a short window of opportunity to take advantage of the pre-regulatory educational period. It will be interesting to see if the agency conducts the kind of “listening tour” the Office of Attorney General (OAG) went on across the Golden State by means of town halls prior to its California Consumer Privacy Act (CCPA) rulemaking process, or elects to spend its time in more intimate and concerted explorations.

The subcommittee also provided insight into how it recommends varying topics should be assigned to existing and proposed subcommittees. It proposes that the Board create a new CPRA Rules Subcommittee to oversee cybersecurity audits, risk assessments, automated decision-making, and the Agency’s audit authority – new rights and obligations under CPRA. A CCPA Rules Subcommittee is suggested for opt-out requests, accessibility, rights to erase, correct and know, and the use of personal information by contractors and service providers — existing rights and obligations under CCPA. Finally, it suggests that the Rulemaking Process Subcommittee coordinate pre-rulemaking and rulemaking activities as well as the report on scope of rules that apply to insurance corporations, an issue left murky by the CCPA and OAG rulemaking. The Rulemaking Process Subcommittee is also recommended to make suggestions for additional topics for rulemaking, make recommendations as to whether a rule is needed within a certain topic, and to secure resources as needed.

The CPRA vests the CPPA with more specific and broader rulemaking authority than pre-CPRA CCPA vested in the OAG. Will the CCPA’s greater mandate and discretion result in more meaningful or more intrusive regulation? Will it make the law more flexible as to permit innovation in a complex and evolving digital world while balancing individuals’ interest in data practice transparency and choice, or will the 2.0 rules prove to be overly constrictive and ludditean? Only time will tell. However, businesses, consumers and other stakeholders all have an opportunity in the coming months to have their opinions heard.

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 280
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA
Partner

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

213-689-6518
Associate

Amber Mulcare is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice. Her experience spans a wide range of complex privacy, cybersecurity, technology and emerging company matters across an array of sectors.

Amber has assisted with various data breaches of information, including PII, PHI and CUI; coordinated multijurisdictional notifications, including state attorneys general and the FTC, when necessary; crafted internal and external communication for clients to deliver; and coordinated with forensic specialists and other consultants, as needed. She has also...

1 202 575 5616
Advertisement
Advertisement
Advertisement