Keypoint: While the Agency previously published draft regulations in early June, its filing of a Notice of Proposed Rulemaking officially initiates the rulemaking process and triggers a 45-day comment period.
On July 8, 2022, the California Privacy Protection Agency (Agency) announced that it has initiated the formal rulemaking process to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA). The announcement comes exactly six weeks after the Agency published draft regulations in connection with an Agency Board meeting held on June 8, 2022.
In the below post we identify the rulemaking documents filed by the Agency, discuss the rulemaking timeframe and scope, highlight comments the Agency made regarding other privacy laws, and identify the non-substantive changes made between this version and the prior draft version published in June.
Rulemaking Documents
The Agency’s rulemaking documents include a Notice of Proposed Rulemaking, Text of Proposed Regulations, Initial Statement of Reasons and Appendix, Economic and Fiscal Impact Statement and STD 399 Attachment.
Rulemaking Timeframe
The Agency’s filing of the Notice of Proposed Rulemaking triggers a minimum 45-day public comment period. Consistent with that timeframe, the Agency stated that it will accept written comments until August 23, 2022. The Agency will hold public hearings on August 24 and 25, 2022.
The ultimate timeframe for finalizing the regulations will depend on how quickly the Agency can consider public comments and to what extent it modifies the regulations in response. If the Agency makes major changes to the proposed regulations, it must initiate another 45-day comment period. If the Agency makes substantial and sufficiently related changes, it must initiate a 15-day comment period. If it makes no changes or nonsubstantial and sufficiently related changes, it does not have to initiate another comment period. For a further explanation, please the rulemaking explanation available here.
For reference, the California Attorney General’s office published three versions of regulations before the final regulations were submitted to the Office of Administrative Law (OAL). The initial version was published on October 11, 2019 with first and second modified versions published on February 10, 2020 and March 27, 2020, respectively. The office submitted the final regulations to the OAL in June 2020 and the OAL approved the regulations on August 14, 2020.
Rulemaking Scope
The proposed regulations cover some – but not all – of the 22 topics required by the CPRA. According to the Agency’s Notice of Proposed Rulemaking, the “proposed regulations primarily do three things: (1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.
The Agency stated that it will not be promulgating rules on cybersecurity audits, risk assessments, and automated decisionmaking technology at this time. Those areas will be the subject of a future rulemaking.
We previously provided an in-depth analysis of the proposed regulations here.
Interaction with other Privacy Laws
The Notice of Proposed Rulemaking contains comments that show the Agency’s consideration of how the regulations will interact with other privacy laws.
According to the Agency, “the proposed regulations take into consideration privacy laws in other jurisdictions and implement compliance with the CCPA in such a way that it would not contravene a business’s compliance with other privacy laws, such as the General Data Protection Regulation (GDPR) in Europe and consumer privacy laws recently passed in Colorado, Virginia, Connecticut, and Utah.”
However, the Agency considered – and rejected – a regulatory alternative that would allow for a limited exception for GDPR-compliant firms. Although that “approach could achieve significant economies of scale in both private compliance and public regulatory costs” the Agency rejected it “because of key differences between the GDPR and CCPA, especially in terms of how personal information is defined and the consumer’s right to opt-out of the sale or sharing of personal information (which is not required in the GDPR).”
Finally, the Colorado Attorney General’s office will be engaging in rulemaking for the Colorado Privacy Act. The Attorney General’s office is currently soliciting pre-rulemaking comments.
Changes from Draft Regulations
The proposed regulations do not appear to have any substantive changes from the draft regulations that were published in June.
We did identify the following non-substantive changes:
- Section 7012(a) – In the last sentence, “selling or sharing” was changed to “sell or share”
- Section 7012(g) – Sub-paragraph (1)(A) was moved up and joined with (g). The text was not modified.
- Section 7014(d) – “an alternative opt-out link” was changed to “the alternative opt-out link”
- Section 7025(g) – “an alternative opt-out link” was changed to “the alternative opt-out link” and “meets the following additional requirements” was changed to “meets all of the following additional requirements”
- Section 7025(g)(3)(A) – “Business S” was changed to “Business Q” in the second part of the example
- Section 7027(b)(1) – “alternative opt-out link” was changed to “the alternative opt-out link”
- Section 7027(g)(3) and (4) – “forward the request” was changed to “to forward the request”
- Section 7052(b) – “set forth in subsection (l)” was changed to “set forth in section 7027, subsection (l)”
- Section 7060(a) – The updated redline indicates that “to know or a request” was deleted from the current regulations. This change appears to be a redlining correction.
- Section 7300(a) – the address of the Agency was deleted