California Privacy Rights Act

Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing draft automated decisionmaking technology regulations although the Agency has yet to initiate the formal rulemaking process.

On November 27, 2023, the California Privacy Protection Agency (Agency) published draft automated decisionmaking technology regulations as well as revised draft risk assessment regulations. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft regulations are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

This article focuses on how the two draft regulations address automated decisionmaking technology (ADMT). The risk assessment regulations contain additional provisions that are not addressed herein. In addition, given that these are only draft regulations, this article only provides a high-level summary and some takeaways. It does not provide an exhaustive analysis of the draft regulations.Continue Reading CPPA Publishes Draft Automated Decisionmaking Technology (AI) Regulations

Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing revised draft cybersecurity audit regulations although the Agency has yet to initiate the formal rulemaking process.

In connection with its upcoming December 8 Board meeting, the California Privacy Protection Agency published revised draft cybersecurity audit regulations. In the below post, we provide background on the draft regulations and a brief summary of the notable changes.Continue Reading CPPA Publishes Revised Draft Cybersecurity Audit Regulations

Keypoint: Although they are only draft regulations and not part of the formal rulemaking process, the drafts demonstrate the Agency’s intent to create extensive obligations for businesses subject to these regulations.

In connection with its September 8, 2023 Board meeting, the California Privacy Protection Agency (“Agency”) published draft regulations on risk assessments and cybersecurity audits. The drafts were provided as meeting materials for a CPRA rules subcommittee update.

The drafts specifically state that they are intended “to facilitate Board discussion and public participation” and are “subject to change.” To that end, the drafts identify specific text for the Board to discuss and, in some instances, identify multiple options for Board consideration. The drafts also note that the Agency “has not yet started the formal rulemaking process for cybersecurity audits, risk assessments, or automated decisionmaking technology.”

Although these are only drafts, they nonetheless provide an initial insight into the Agency’s thought process for these new and significant rulemaking topics. In short, the drafts indicate the Agency’s intent to create extensive obligations for businesses subject to these regulations. In the below post, we provide a high-level summary and analysis of some of the more notable parts of the drafts.Continue Reading CPPA Releases Draft Regulations on Risk Assessments and Cybersecurity Audits

On July 31, 2023, the California Privacy Protection Agency announced a review of data privacy practices by connected vehicle (CV) manufacturers and related CV technologies. According to the Agency, “[t]hese vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically

Keypoint: The Attorney General’s investigatory sweep focuses on how large California employers are handling the expiration of the CCPA’s employee data exemption.

On July 14, 2023, the California Attorney General announced a new CCPA investigatory sweep focused on employee data. The Attorney General’s Office reported that it had sent inquiry letters “to large California employers requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants.”Continue Reading California Attorney General Announces New CCPA Investigative Sweep of Employers

Keypoint: Enforcement by the California Privacy Protection Agency of the new CCPA regulations will be delayed until March 2024, but the Agency can still enforce the CCPA statutory changes as of July 1, 2023.

As first reported by Amy Miller at mlex, on June 30, 2023, Judge Arguelles of the Superior Court of California entered an Order granting, in part, the California Chamber of Commerce’s Petition for Writ of Mandate and Compliant for Declaratory and Injunctive Relief. In so doing, the Court held that enforcement of any final regulation published by the California Privacy Protection Agency must be stayed for a period of 12 months from the date that regulation becomes final. This means the Agency cannot enforce the new California Consumer Privacy Act (CCPA) regulations finalized on March 29, 2023, until March 29, 2024. Importantly, the ruling does not prohibit the Agency or the Attorney General’s Office from enforcing the statutory changes to the CCPA that went into effect on January 1, 2023.Continue Reading Enforcement of New CCPA Regulations Delayed By Court Ruling

Keypoint: The Office of Administrative Law’s approval of the CCPA regulations ends a months-long rulemaking process that began in September 2021.

On March 30, 2023, the California Privacy Protection Agency (Agency) announced that the California Office of Administrative Law (OAL) approved the Agency’s first substantive CCPA rulemaking package. The approved regulations, which are immediately effective, can be enforced beginning July 1, 2023. Continue Reading California OAL Approves CCPA Regulations

Keypoint: With the Board’s approval secured, the Agency will now send the final rulemaking package to the Office of Administrative Law for review.

On Friday, February 3, 2023, the Board of the California Privacy Protection Agency (Agency) voted to adopt and approve the Agency’s rulemaking package. The rulemaking package includes a redline of the final regulations, a final statement of reasons, and two appendices to the final statement of reasons with responses to comments received during the 45 day and 15 day comment periods. The Agency did not substantively change the regulations from the draft the Agency published in November.Continue Reading CPPA Board Approves CPRA Regulations

Keypoint: On the heels of last week’s Board meeting, Agency staff quickly turned around a modified version of the proposed regulations, triggering a fifteen day comment period and further signaling that the Agency is on track to finalize the regulations in January/February 2023.

On November 3, 2022, the California Privacy Protection Agency (Agency) issued a notice of modifications to the text of proposed California Consumer Privacy Act (CCPA) regulations. The notice follows a two-day meeting held by the Agency Board on October 28 and 29, 2022, during which the Board authorized Agency staff to take all steps necessary to prepare and notice modifications to the proposed regulatory amendments. The notice states that the Agency will accept written comments regarding the proposed changes or materials added to the rulemaking file up to 8:00 a.m. on Monday, November 21, 2022.

In the below post, we first provide a brief overview of the rulemaking process to date and its path forward. We then review some of the substantive modifications the Agency made to the proposed regulations after last week’s Board meeting.Continue Reading CPRA Proposed Regulations Formally Noticed for 15 Day Comment Period

Keypoint: The Board advanced the modified proposed CPRA regulations with the goal of submitting final regulations to the Office of Administrative Law by year end.

On October 28 and 29, 2022, the California Privacy Protection Agency (Agency) Board held a meeting to review and consider the modified proposed California Consumer Privacy Act (CCPA) regulations. The Agency previously published the modified proposed regulations on September 17, 2022. The modified proposed regulations contain many changes to the initial proposed regulations based on comments the Agency received during the public comment period.

At the conclusion of the meeting, the Board authorized Agency staff to take all steps necessary to prepare and notice modifications to the proposed regulatory amendments. Once noticed, stakeholders will have fifteen days to provide comments. The Board’s General Counsel explained that the Agency hopes to have final rules submitted to the Office of Administrative Law (OAL) for review by the end of the year. If that timeframe holds, the regulations would become effective in late January or early February.

Below is a summary of key takeaways from the meeting.Continue Reading CPPA Board Advances Proposed CPRA Regulations