On Wednesday, June 8, the California Privacy Protection Agency (CPPA) Board voted 4-0 (with one member absent) to initiate the CPRA rulemaking process based on the draft regulations released on May 27th prior to the Memorial Day holiday. (To learn more, please see New California Draft Privacy Regulations: How They Would Change Business Obligations and Enforcement Risk.) The next step is for the CPPA Staff to initiate the formal notice and comment period, where businesses, advocates, and consumers will have an opportunity to weigh in on the proposed rules.
Here is a timeline of the proposed rulemaking:
- Formal Publication of Rules: The CPPA will commence formal rulemaking in accordance with the California Administrative Procedures Act. As detailed in response to FAQs on the CPPA's website, the agency will file a Notice of Proposed Action (NOPA), the text of the proposed regulations, and the Initial Statement of Reasons (ISOR) with the Office of Administrative Law (OAL). The NOPA will be published in the California Regulatory Notice Register (similar to the Federal Register), marking the first day of the formal rulemaking process.
- Comment & Hearing: The initial comment period will run at least 45 days, and the CPPA will hold a public hearing. Then, if any changes are made to the initial draft, a subsequent comment period of at least 15 days will run to receive comments on the revisions. The CPPA will then issue its Final Statement of Reasons (FSOR) and final regulations.
- Board Involvement During Rulemaking Process:
At the CPPA's May 26, 2022 open meeting, the Process
Subcommittee provided a presentation on the
rulemaking process, indicating that the CPPA intends for the
CPPA Board to play an active role. The presentation proposes the
- At the next meeting (20-45 days after the June 8, 2022 meeting), Staff will answer the Board's questions about the proposed rules, and the Board will discuss the proposed rules in detail.
- After the close of the initial comment period, the Board will hold at least one meeting where Staff will present the Board with proposed updates to the rules, and answer questions. The Board has an opportunity to bring in experts to testify about changes to the rules. The Board will then vote to approve moving forward.
- Staff will then prepare the final package, and at a final meeting, the Board will vote to approve the filing of the package with the OAL.
- Advance Notice of CPPA Action: All action of the CPPA occurs during open meetings of the Board, and all materials to be considered by the Board must be made available 10 days before the open meeting. This will provide the public advance insight into any written materials under consideration by the CPPA before any vote.
- Additional Rulemaking: The CPPA has indicated that the initial draft rules are not the only rules that the CPPA will issue. In addition, a second round of rulemaking may focus on automated decisionmaking, cybersecurity audits, and privacy risk assessments. The timeline for issuance of additional rules is currently unclear.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.