ARTICLE
13 November 2024

California Privacy Protection Agency Approves Regulations For Data Broker Registration And Advances Other Updates To Formal Rulemaking

FL
Foley & Lardner

Contributor

Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
The California Privacy Protection Agency (CPPA) made some big moves at its November 8 meeting, voting to approve draft regulations for data broker registration.
United States California Privacy

The California Privacy Protection Agency (CPPA) made some big moves at its November 8 meeting, voting to approve draft regulations for data broker registration.

After months of "discussion", the CPPA also advanced draft updates to the California Consumer Privacy Act (CCPA) regulations and new regulations for insurance, cybersecurity audits, risk assessments, and automated decision-making to the formal rulemaking process.

However, the formal rulemaking process is just one step in finalizing the draft regulations. Under California law, the CPPA must first publish a notice of proposed action in the California Regulatory Notice Register and publish the text of the draft regulations and the Initial Statement of Reasons (ISOR) on its website. The public has a minimum of 45 days to provide comments.

The CPPA must then compile and respond to all substantive comments, explaining that it agrees or disagrees with the comment and why. If there are substantive changes to the draft regulations, there is then a second comment period of at least 15 days. This process of review, explain, and comment period is then repeated.

Finally, the agency will prepare a final rulemaking package with final proposed regulations and submit it to the California Office of Administrative Law (OAL), which has 30 working days to review it for compliance with law. If the regulations are approved, they may be effective immediately after the Third District Court of Appeals overturned a lower court's decision that California voters intended a 1-year delay in enforcement.

While this all sounds "speedy", the previous formal rulemaking process for CCPA regulations took about 244 days or almost two-thirds of a year. While in theory the new regulations are smaller in scope, some of the changes to the existing CCPA regulations do have an impact on businesses, and businesses should expect a fairly long process before the proposed regulations are finalized and effective.

The California Privacy Protection Agency (CPPA) Board voted on November 8 to adopt new regulations regarding data broker registration requirements. In addition, the board voted to advance the proposed rulemaking package for insurance, cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT), and updates to existing regulations, to the formal rulemaking process.

View referenced article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More