And the first set of regulations are now off to the races for OAL approval. But the CPPA also made it clear that this is not the end. Besides the regulations on cybersecurity audits, risk assessments, and automated decision making, which were already acknowledged to be in a second set of regulations, the discussion acknowledged that there is still a "running list" of issues that have been set aside for now, including known gaps in the regulations for employment and business to business information. So, it seems like these "final" regulations may not be "final" for a while, and businesses should be prepared for additional changes in some areas.
California Privacy Protection Agency Board just voted to direct staff to submit proposed rulemaking package to the Office of Administrative Law for final approval. Look for OAL response (likely approval of at least many provisions) in or about April 2023. Lots of discussion that a "running list" of issues with these rules exists and may be considered by the Agency down the road. Employee issues were mentioned as being on this list, and public comment specifically asked them to address.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
