Potential Rulemaking on the Horizon: CPPA Board Announces February Public Meeting

The California Privacy Protection Agency Board (“Board”) announced it will hold a public meeting on February 3, 2023. The posted meeting agenda shows the potential for rulemaking activity during the Board’s first meeting of 2023. Specifically, the agenda items include: “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California” and “Preliminary Rulemaking Activities for New Rules on Risk Assessments, Cybersecurity Audits, and Automated Decision-Making.” The full agenda is available here.

Last year, the Board published the first draft of the proposed CPRA Regs and initial statement of reasons in May 2022, and a Modified Text of Proposed Regulations in October 2022. A 15-day public comment period followed the publication of the modified text, which closed on November 21, 2022. Public comments to the proposed regs are available here. The proposed CPRA regs (including the modified text) now need to be formally approved by the Board, after which staff will prepare a final package that includes the Final Statement of Reasons and responses to all public comments for submission to the Office of Administrative Law (“OAL”). Once approved by the OAL, the regulations will become final. However, if the Board votes on further edits to the proposed regulations (for example, based on public comments received during the 15-day public comment period), that will start a new public comment period, which will delay submission of a final package to the OAL, and ultimately delay finalizing the proposed regs.

Whether the Board adopts the draft CPRA regs or takes any other substantive action to move the implementing regulations forward at the upcoming meeting remains to be seen.