The California Privacy Protection Agency (CPPA) made some big moves at its November 8 meeting, voting to approve draft regulations for data broker registration.
After months of "discussion", the CPPA also advanced draft updates to the California Consumer Privacy Act (CCPA) regulations and new regulations for insurance, cybersecurity audits, risk assessments, and automated decision-making to the formal rulemaking process.
However, the formal rulemaking process is just one step in finalizing the draft regulations. Under California law, the CPPA must first publish a notice of proposed action in the California Regulatory Notice Register and publish the text of the draft regulations and the Initial Statement of Reasons (ISOR) on its website. The public has a minimum of 45 days to provide comments.
The CPPA must then compile and respond to all substantive comments, explaining that it agrees or disagrees with the comment and why. If there are substantive changes to the draft regulations, there is then a second comment period of at least 15 days. This process of review, explain, and comment period is then repeated.
Finally, the agency will prepare a final rulemaking package with final proposed regulations and submit it to the California Office of Administrative Law (OAL), which has 30 working days to review it for compliance with law. If the regulations are approved, they may be effective immediately after the Third District Court of Appeals overturned a lower court's decision that California voters intended a 1-year delay in enforcement.
While this all sounds "speedy", the previous formal rulemaking process for CCPA regulations took about 244 days or almost two-thirds of a year. While in theory the new regulations are smaller in scope, some of the changes to the existing CCPA regulations do have an impact on businesses, and businesses should expect a fairly long process before the proposed regulations are finalized and effective.
The California Privacy Protection Agency (CPPA) Board voted on November 8 to adopt new regulations regarding data broker registration requirements. In addition, the board voted to advance the proposed rulemaking package for insurance, cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT), and updates to existing regulations, to the formal rulemaking process.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.