The California Privacy Protection Agency (CPPA) Board, created by the California Privacy Rights Act (CPRA), has been busy of late. As we recently reported, the CCPA has hired renowned privacy technologist Ashkan Soltani as its new Executive Director to lead the agency. Meanwhile, the agency’s committees have been hard at work. The Regulations Subcommittee has proposed its framework for its rulemaking process. Notably, the subcommittee recommends an immediate start to pre-rulemaking activities such as issuing an invitation for comments, the creation of additional subcommittees, and the identification of informational hearing topics. A pre-rulemaking process gives the agency flexibility to hear from stakeholders outside of the formal and constrained process that will begin once the regulatory process officially commences. The framework also notes that the notice of proposed rulemaking, initial statement of reasons (ISOR), and text of the regulations should be published in winter 2021-2022, with public hearings taking place thereafter. This suggests that stakeholders have a short window of opportunity to take advantage of the pre-regulatory educational period. It will be interesting to see if the agency conducts the kind of “listening tour” the Office of Attorney General (OAG) went on across the Golden State by means of town halls prior to its California Consumer Privacy Act (CCPA) rulemaking process, or elects to spend its time in more intimate and concerted explorations.

The subcommittee also provided insight into how it recommends varying topics should be assigned to existing and proposed subcommittees. It proposes that the Board create a new CPRA Rules Subcommittee to oversee cybersecurity audits, risk assessments, automated decision-making, and the Agency’s audit authority – new rights and obligations under CPRA. A CCPA Rules Subcommittee is suggested for opt-out requests, accessibility, rights to erase, correct and know, and the use of personal information by contractors and service providers — existing rights and obligations under CCPA. Finally, it suggests that the Rulemaking Process Subcommittee coordinate pre-rulemaking and rulemaking activities as well as the report on scope of rules that apply to insurance corporations, an issue left murky by the CCPA and OAG rulemaking. The Rulemaking Process Subcommittee is also recommended to make suggestions for additional topics for rulemaking, make recommendations as to whether a rule is needed within a certain topic, and to secure resources as needed.

The CPRA vests the CPPA with more specific and broader rulemaking authority than pre-CPRA CCPA vested in the OAG. Will the CCPA’s greater mandate and discretion result in more meaningful or more intrusive regulation? Will it make the law more flexible as to permit innovation in a complex and evolving digital world while balancing individuals’ interest in data practice transparency and choice, or will the 2.0 rules prove to be overly constrictive and ludditean? Only time will tell. However, businesses, consumers and other stakeholders all have an opportunity in the coming months to have their opinions heard. SBP’s Data Privacy, Cybersecurity and Digital Assets practice, in cooperation with our preeminent Public Policy Group, is developing comments, and other strategies, for clients both on a named and anonymous basis, including submitting comments through legislative policy committees of trade associations and bar associations with which we are working. Contact the authors for more information.