Keypoint: The Board advanced the modified proposed CPRA regulations with the goal of submitting final regulations to the Office of Administrative Law by year end.
On October 28 and 29, 2022, the California Privacy Protection Agency (Agency) Board held a meeting to review and consider the modified proposed California Consumer Privacy Act (CCPA) regulations. The Agency previously published the modified proposed regulations on September 17, 2022. The modified proposed regulations contain many changes to the initial proposed regulations based on comments the Agency received during the public comment period.
At the conclusion of the meeting, the Board authorized Agency staff to take all steps necessary to prepare and notice modifications to the proposed regulatory amendments. Once noticed, stakeholders will have fifteen days to provide comments. The Board’s General Counsel explained that the Agency hopes to have final rules submitted to the Office of Administrative Law (OAL) for review by the end of the year. If that timeframe holds, the regulations would become effective in late January or early February.
Below is a summary of key takeaways from the meeting.
Timeframe and Process for Finalization
At the start of the meeting, Agency General Counsel Philip Laird outlined the remaining rulemaking process. According to Laird, after the Board meeting, Agency staff will consider the additional modifications arising out of the meeting and work to publish modified proposed rules for formal comment in the next week or two.
The formal publication of the modified proposed rules will initiate a fifteen-day public comment period. There was no discussion of the comment period being the longer forty-five-day option.
After the comment period, Agency staff will prepare a final rulemaking package for Board consideration, which package will include a final statement of reasons. Laird stated that the Agency hopes to be able to submit the final rulemaking package to the OAL by the end of the year. The OAL will have 30 business days to review. Ultimately, the Board hopes the process will conclude by the end of January although it could spill into February depending on the exact timing of events.
The Agency’s goal of finalizing regulations by the end of January / early February perhaps places the Colorado Attorney General’s decision to host its public hearing on the Colorado Privacy Act (CPA) draft rules on February 1, 2023, into better focus. In theory, if all goes as planned, the Colorado Attorney General’s office would have final CCPA regulations to work with when finalizing its CPA rules, which could (hopefully) lead to increased interoperability.
The Board Knows that Timing is an Issue
It was readily apparent during the meeting that the Board wants the regulations finalized as soon as possible. At one point, Board member Alastair Mactaggart commented that his “main goal is not to delay implementation of regulations.” Various Board members also mentioned a number of times that they would like to revisit some of these regulations at a later time.
Potential New Regulation on the Timing of the Final Regulations and Enforcement Actions
During the Saturday morning portion of the meeting, Board member Vinhcent Le asked the Board to consider adding a new regulation instructing the Agency to take into consideration the timing of the final regulations when engaging in any enforcement actions. By way of explanation, the full package of CPRA regulations were supposed to be finalized by July 1, 2022. However, as it stands, only a partial rulemaking package will be finalized approximately six or seven months after the July 1 deadline. This will give businesses significantly less time to drive compliance – an issue that Mr. Le said resulted in many comments during the rulemaking process.
The Board was sympathetic to the impact on businesses from this delay and directed Agency staff to consider a “new regulation that states that the Agency has discretion to consider the amount of time between the effective date of the statutory or regulatory requirement and possible violations of those requirements, as well as good faith efforts to comply.”
More Changes to the Proposed Regulations
In addition to the new regulation on enforcement, the next set of proposed draft regulations that are submitted for the fifteen-day comment period will have a number of changes from the current modified proposed regulations.
First, during the meeting, Lisa Kim, Deputy Attorney General for the California Department of Justice, identified additional changes that Agency staff had identified since publishing the proposed modified regulations in September. In general, the changes were either grammatical or intended to resolve ambiguities Agency staff had recently identified.
Second, the Board directed Agency staff to consider changes to the regulations dealing with the right to limit the use of sensitive personal information, opt out preference signals, and the provisions in § 7002 dealing with purpose limitations, secondary uses and data minimization.
Right to Limit the Use of Sensitive Personal Information
With respect to the right to limit the use of sensitive personal information, the Board discussed at length proposed regulation § 7027(m), which lists the permissible purposes for which businesses can process sensitive personal information without having to provide consumers with the right to limit. Board member Ms. de la Torre, in particular, raised concerns that the listed purposes do not allow businesses to process employee sensitive personal information for DEI purposes without having to provide the right to limit. Board member Mr. Mactaggart also raised concerns with that section, stating that he was not sure the list was comprehensive enough.
Ultimately, the Board identified proposed revisions for Agency staff to consider, and also seemed to agree that this provision was one that would require further consideration at a later date after the regulations are finalized. Specifically, the Board asked Agency staff to consider (1) including a reference to Civil Code § 1798.121(a); (2) including language stating that the use and disclosure of the sensitive personal information shall be reasonably necessary and proportionate to achieve the purposes listed within the regulation; and (3) move the term “collect” in the preamble to (m)(8).
Opt-Out Preference Signals
The Board also actively discussed proposed regulation § 7025, dealing with the opt-out preference signal. In general, the Board seemed concerned with how businesses would operationalize this regulation and whether it would lead to unintended consequences. Specifically, the Board discussed how businesses should treat the opt out preference signal vis-à-vis financial incentive programs and the treatment of pseudonymous profiles.
With respect to financial incentive programs, the Board considered how to address the situation in which a consumer previously joined a business’s financial incentive program but then sends an opt-out preference signal, and how the business should react. The Board (and Agency staff) ultimately decided that the business could ask the consumer if they would like to stay in the program in which case the business would implement the consumer’s yes/no decision. If the business asks and the consumer does not respond, the business could keep the consumer in the program. However, if the business receives the signal and does not give the consumer the yes/no chance to decide, then it needs to treat the signal as an opt out of the program.
In the end, the Board directed Agency staff to consider adding clarifying language that (1) opt-out preference signals should apply to pseudonymous profiles, e.g., consumer profiles associate with the browser or device; (2) if a business asks and the consumer does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal; and (3) a business shall still apply an opt-out preference signal to the browser or device, or the known consumer, if the business does not ask the consumer to affirm their intent to withdraw from a financial incentive program.
Purpose Limitations, Secondary Uses and Data Minimization
Finally, Board member Ms. de la Torre brought up a number of concerns relating to the contours of § 7002, which deals with purpose limitations, secondary uses and data minimization. For example, she questioned whether the factors in that section included all of the necessary elements and whether it was the intent for businesses to weigh the factors.
As a result, the Board instructed Agency staff to consider (1) adding clarifying language about a consumer’s expectation regarding the examples set forth in § 7002(d); (2) remove the word “factors”; (3) add clarifying language within § 7002(b)(4) about the straightforwardness and ease of understanding of the disclosure; and (4) add clarifying language regarding the “consumer.”
Although there will be changes in the next set of published regulations, it should be emphasized that Board members repeatedly signaled that they would prefer to consider more changes. However, overwhelmingly, the Board members agreed that their proposed changes could wait to be implemented in a future version of the regulations after these regulations are finalized. At one point, Mr. Mactaggart said that he expected to be discussing regulations at almost every Board meeting moving forward. The over-arching impression left from the Board meeting is that the Board views these regulations as something that need to be finalized as soon as possible, but that they expect to update and revise them over time.
More Regulations on Other Topics
The current proposed regulations do not cover all of the topics for which regulations are necessary pursuant to § 1798.185 of the CCPA. For example, the current proposed regulations do not cover profiling and cybersecurity audits. With the expiration of the employee and business-to-business exemptions, there also have been calls for the Agency to publish additional regulations on those topics. Board members Ms. de la Torre and Mr. Mactaggart both identified that issue during the meeting with Ms. de la Torre focusing on issues with employee data and Mr. Mactaggart more concerned with business data. During the meeting, Agency Executive Director Ashkan Soltani (participating remotely from Turkey) discussed the fact that the Agency would be engaging in other rulemaking activities, but he did not specify a timeframe for same.