March 23, 2023

Volume XIII, Number 82

Advertisement
Advertisement

March 22, 2023

Subscribe to Latest Legal News and Analysis

March 21, 2023

Subscribe to Latest Legal News and Analysis

March 20, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

CPPA Board Votes to Send Final CPRA Regs to the Office of Administrative Law

Within the next two weeks, California Privacy Protection Agency (“Agency”) staff will prepare and submit a document package to the Office of Administrative Law (“OAL”) that includes the final text of the CPRA regulations along with the Final Statement of Reasons and responses to all public comments. Once received, the OAL will have 30 business days to review, recommend modifications, and ultimately approve or reject the package.

The Agency held a public meeting on February 3, 2023 where the Agency’s Board voted to send the document package to the OAL, which kickstarts the final step in the formal rulemaking process. Upon OAL approval, the CPRA regulations will become final. However, if the OAL takes issue with the text of the regulations (beyond non-substantive edits for grammar or typos), then the Agency will need to edit the text as necessary and issue a new notice of modified text with a 15-day comment period so the public can provide input on those changes. The Agency also has the option to withdraw sections of the regulations from the document package as needed to address any OAL concerns that might otherwise cause the entire package to be rejected. In short, the OAL’s review may produce additional substantive changes to text of the regulations.

Additionally, the Agency also moved towards addressing other pertinent topics not included in the text of the final regulations voted on during the public meeting. Readers may recall that the CCPA enumerates a list of areas of interest for which additional rulemaking activities are required. The Agency has conducted rulemaking for some, but not all, of the enumerated areas of interest. During the public meeting, the Agency also discussed preliminary rulemaking activities pertaining to risk assessments, cybersecurity audits, and automated decision-making. The Agency announced it is soliciting preliminary public input on these three topics, and provided an expansive list of Sample Questions for Preliminary Rulemaking for which it is seeking public comment, including the following:

  • What laws or other requirements that currently apply to businesses or organizations processing consumers’ personal information require risk assessments and cybersecurity audits, and to what degree are these other frameworks’ requirements aligned with the requirements of the CCPA?

  • What laws requiring access and/or opt-out rights pertaining to automated decision-making (“ADM”) currently apply to businesses or organizations, and how do those laws define “automated decision-making technology” and align with CCPA requirements?

  • What other requirements/frameworks/best practices are businesses/organizations applying in the context of ADM, and how do those laws define “automated decision-making technology” and align with CCPA requirements?

The Agency first solicited public input as part of preliminary rulemaking activities from September 2021 through November 2021, after the Agency assumed rulemaking authority from the California Attorney General. That initial round of solicitation of preliminary public input also requested information on, among others, risk assessments, cybersecurity audits, and automated decision-making. However, the initial invitation for preliminary comments included only a short set of questions pertaining to risk assessment, cybersecurity audits, and automated decision-making that are not as robust as the current request. Of note, unlike the current Sample Questions, the initial set of questions did not inquire about what current laws, requirements, frameworks, or best practices businesses or organizations factor into their risk assessments, cybersecurity audits, and automated decision-making technologies. This development suggests the Agency is looking for opportunities to align its regulatory requirements on these three areas of interest with current existing laws, requirements, frameworks, and best practices, presumably to alleviate some of the compliance burden businesses and organizations that must comply with the CCPA face.

The Agency’s recent activities could mean finalized CPRA regulations in as early as 8 weeks. The Privacy World team will continue to monitor the situation to keep you in the loop.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XIII, Number 37
Advertisement
Advertisement
Advertisement

About this Author

Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA
Partner

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

213-689-6518
Elizabeth A. Spencer Berthiaume Attorney Cybersecurity Squire Patton Boggs Dallas
Associate

Elizabeth Spencer Berthiaume is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice. She focuses her practice on data privacy and protection, cybersecurity and data breach preparedness and response.

214-758-3448
Gicel Tomimbang Los Angeles California Associate Attorney Data Privacy Cybersecurity Squire Patton Boggs LLP
Associate

Gicel Tomimbang is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice.

A significant portion of Gicel’s practice focuses on the intersection of healthcare with privacy. Clients frequently turn to her for advice and counsel on complex issues that arise under the Health Insurance Portability and Accountability Act (HIPAA), the Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act (CCPA), the FTC Act and the FTC Health Breach Notification Rule.

Gicel previously...

213-689-6543