Within the next two weeks, California Privacy Protection Agency (“Agency”) staff will prepare and submit a document package to the Office of Administrative Law (“OAL”) that includes the final text of the CPRA regulations along with the Final Statement of Reasons and responses to all public comments. Once received, the OAL will have 30 business days to review, recommend modifications, and ultimately approve or reject the package.

The Agency held a public meeting on February 3, 2023 where the Agency’s Board voted to send the document package to the OAL, which kickstarts the final step in the formal rulemaking process. Upon OAL approval, the CPRA regulations will become final. However, if the OAL takes issue with the text of the regulations (beyond non-substantive edits for grammar or typos), then the Agency will need to edit the text as necessary and issue a new notice of modified text with a 15-day comment period so the public can provide input on those changes. The Agency also has the option to withdraw sections of the regulations from the document package as needed to address any OAL concerns that might otherwise cause the entire package to be rejected. In short, the OAL’s review may produce additional substantive changes to text of the regulations.

Additionally, the Agency also moved towards addressing other pertinent topics not included in the text of the final regulations voted on during the public meeting. Readers may recall that the CCPA enumerates a list of areas of interest for which additional rulemaking activities are required. The Agency has conducted rulemaking for some, but not all, of the enumerated areas of interest. During the public meeting, the Agency also discussed preliminary rulemaking activities pertaining to risk assessments, cybersecurity audits, and automated decision-making. The Agency announced it is soliciting preliminary public input on these three topics, and provided an expansive list of Sample Questions for Preliminary Rulemaking for which it is seeking public comment, including the following:

• What laws or other requirements that currently apply to businesses or organizations processing consumers’ personal information require risk assessments and cybersecurity audits, and to what degree are these other frameworks’ requirements aligned with the requirements of the CCPA?

• What laws requiring access and/or opt-out rights pertaining to automated decision-making (“ADM”) currently apply to businesses or organizations, and how do those laws define “automated decision-making technology” and align with CCPA requirements?

• What other requirements/frameworks/best practices are businesses/organizations applying in the context of ADM, and how do those laws define “automated decision-making technology” and align with CCPA requirements?

The Agency first solicited public input as part of preliminary rulemaking activities from September 2021 through November 2021, after the Agency assumed rulemaking authority from the California Attorney General. That initial round of solicitation of preliminary public input also requested information on, among others, risk assessments, cybersecurity audits, and automated decision-making. However, the initial invitation for preliminary comments included only a short set of questions pertaining to risk assessment, cybersecurity audits, and automated decision-making that are not as robust as the current request. Of note, unlike the current Sample Questions, the initial set of questions did not inquire about what current laws, requirements, frameworks, or best practices businesses or organizations factor into their risk assessments, cybersecurity audits, and automated decision-making technologies. This development suggests the Agency is looking for opportunities to align its regulatory requirements on these three areas of interest with current existing laws, requirements, frameworks, and best practices, presumably to alleviate some of the compliance burden businesses and organizations that must comply with the CCPA face.

The Agency’s recent activities could mean finalized CPRA regulations in as early as 8 weeks. The Privacy World team will continue to monitor the situation to keep you in the loop.