Keypoint: The Office of Administrative Law’s approval of the CCPA regulations ends a months-long rulemaking process that began in September 2021.

On March 30, 2023, the California Privacy Protection Agency (Agency) announced that the California Office of Administrative Law (OAL) approved the Agency’s first substantive CCPA rulemaking package. The approved regulations, which are immediately effective, can be enforced beginning July 1, 2023.

Keypoint: With the Board’s approval secured, the Agency will now send the final rulemaking package to the Office of Administrative Law for review.

On Friday, February 3, 2023, the Board of the California Privacy Protection Agency (Agency) voted to adopt and approve the Agency’s rulemaking package. The rulemaking package includes a redline of the final regulations, a final statement of reasons, and two appendices to the final statement of reasons with responses to comments received during the 45 day and 15 day comment periods. The Agency did not substantively change the regulations from the draft the Agency published in November.

Keypoint: On the heels of last week’s Board meeting, Agency staff quickly turned around a modified version of the proposed regulations, triggering a fifteen day comment period and further signaling that the Agency is on track to finalize the regulations in January/February 2023.

On November 3, 2022, the California Privacy Protection Agency (Agency) issued a notice of modifications to the text of proposed California Consumer Privacy Act (CCPA) regulations. The notice follows a two-day meeting held by the Agency Board on October 28 and 29, 2022, during which the Board authorized Agency staff to take all steps necessary to prepare and notice modifications to the proposed regulatory amendments. The notice states that the Agency will accept written comments regarding the proposed changes or materials added to the rulemaking file up to 8:00 a.m. on Monday, November 21, 2022.

In the below post, we first provide a brief overview of the rulemaking process to date and its path forward. We then review some of the substantive modifications the Agency made to the proposed regulations after last week’s Board meeting.

Keypoint: The Board advanced the modified proposed CPRA regulations with the goal of submitting final regulations to the Office of Administrative Law by year end.

On October 28 and 29, 2022, the California Privacy Protection Agency (Agency) Board held a meeting to review and consider the modified proposed California Consumer Privacy Act (CCPA) regulations. The Agency previously published the modified proposed regulations on September 17, 2022. The modified proposed regulations contain many changes to the initial proposed regulations based on comments the Agency received during the public comment period.

At the conclusion of the meeting, the Board authorized Agency staff to take all steps necessary to prepare and notice modifications to the proposed regulatory amendments. Once noticed, stakeholders will have fifteen days to provide comments. The Board’s General Counsel explained that the Agency hopes to have final rules submitted to the Office of Administrative Law (OAL) for review by the end of the year. If that timeframe holds, the regulations would become effective in late January or early February.

Below is a summary of key takeaways from the meeting.

Keypoint: The California Privacy Protection Agency’s issuance of significantly modified proposed regulations comes days in advance of four scheduled Board meetings where the proposed regulations will open to debate, modification, and potential adoption.

On Monday, September 17, 2022, the California Privacy Protection Agency (CPPA or Agency) issued modified proposed CPRA regulations as well as an explanation for the changes. The modified proposed regulations follow a 45-day written comment period on the initial proposed regulations that ended on August 23, 2022, and two public hearings that were held on August 24 and 25, 2022. Interested parties submitted over 1,000 pages of written comments during the written comment period.

The issuance of modified proposed regulations was expected based on comments made during the Agency’s prior Board meeting on September 23, 2022. The Agency initially issued the modified proposed regulations in connection with two days of Board meetings scheduled for October 21 and 22, 2022. Later in the day on September 17, the Agency announced that it will hold two more days of Board meetings on October 28 and 29, 2022.

At the meetings, the Board will discuss the proposed regulations, including possible adoption or modification of the text. To that end, the accompanying explanation document identifies twenty-eight (28) items that Agency staff recommend for discussion at the meetings.

In the below post, we first provide high-level takeaways from the modified proposed regulations. We then discuss some of the more notable changes. We do not attempt to summarize all of the changes.

Keypoint: Businesses subject to the CCPA will need to revise their compliance programs before the exemptions expire on January 1, 2023.

As previously reported, the California legislature had been considering multiple bills to extend the employee and business-to-business data exemptions under the California Consumer Privacy Act (CCPA). On August 31st, however, the California legislature adjourned without extending the exemptions which automatically expire on January 1, 2023 – the same day the California Privacy Rights Act (CPRA) goes into effect.

Generally speaking, the current exemptions apply to (1) personal information of job applicants, employees, owners, directors, officers, and independent contractors in the context of the individual’s employment or application for employment and (2) personal information reflecting written and verbal communications or a transaction where the consumer is acting in a business-to-business commercial transaction. With the exemptions set to expire, California will become the first state to apply comprehensive restrictions on the collection and use of such information.

Businesses subject to the CCPA and that have California employees or deal with other California companies will need to engage in substantial efforts to update their privacy programs. We outline some of the necessary steps below.

Keypoint: While the Agency previously published draft regulations in early June, its filing of a Notice of Proposed Rulemaking officially initiates the rulemaking process and triggers a 45-day comment period.

On July 8, 2022, the California Privacy Protection Agency (Agency) announced that it has initiated the formal rulemaking process to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA). The announcement comes exactly six weeks after the Agency published draft regulations in connection with an Agency Board meeting held on June 8, 2022.

In the below post we identify the rulemaking documents filed by the Agency, discuss the rulemaking timeframe and scope, highlight comments the Agency made regarding other privacy laws, and identify the non-substantive changes made between this version and the prior draft version published in June.

Keypoint: The California Privacy Protection Agency issued a first set of draft regulations that contain a number of notable provisions but do not address all of the CPRA’s rulemaking topics.

On Friday, May 27, 2022, the California Privacy Protection Agency (CPPA or Agency) issued draft regulations in connection with a Board meeting scheduled for June 8, 2022.

In the below post, we provide high-level takeaways from the draft regulations, discuss the rulemaking timeframe, and provide a summary of some of the more notable provisions.

Keypoint: The CPRA is relatively prescriptive in how organizations must receive and respond to consumer requests, while the CPA and VCDPA introduce an appeal process and other nuances that will require adjusting existing CCPA consumer response processes.

This is the tenth and final post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, this series has explored important distinctions between them. Following this series, we will continue to provide updates and insights into these and other state privacy laws, including following the CPRA and CPA rulemaking processes. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article we examine how each of the three state laws approaches consumer requests, including the types of requests consumers may submit, the methods organizations must employ to receive requests, and the timeframes in which to verify and respond to requests. The analysis below provides a high-level summary of the response frameworks under each law. It does not dive into statutory exceptions or how to substantively respond to requests.

The California Consumer Privacy Act (CCPA) and its regulations, as amended by the CPRA, is relatively prescriptive as it concerns processing consumer requests. The CPA and VCDPA, meanwhile, provide parameters but leave the processing of consumer requests largely to the discretion of the organization. Unique to the CPA and VCDPA, however, is the introduction of an appeals process that must also inform or assist the consumer in contacting the state Attorney General if dissatisfied with the result of the appeal.