Privacy regulators in California and Colorado recently made announcements regarding rulemaking for their respective state privacy laws. Last week, the California Privacy Protection Agency (“CPPA”) announced that it will hold its next public meeting this Thursday, February 17, during which it will discuss updates on the rulemaking process, including a timeline. On January 28, Colorado Attorney General Phil Weiser publicly announced the intent of the Colorado Office of the Attorney General (“COAG”) to carry out rulemaking activities to implement the Colorado Privacy Act (“CPA”), providing an indication of focus areas and a rough timeline. We discuss each of these developments in further detail below.
CPPA Next Public Meeting: Thursday, February 17 at 9:30 AM PT
The CPPA announced via an email update that its next public meeting will be held Thursday, February 17 at which Executive Director, Ashkan Soltani, will provide an update regarding the rulemaking process. According to the meeting’s agenda, we will learn about, among other things, the agency’s forthcoming informational hearings and a timeline for its rulemaking process. Given administrative and statutory requirements, a timeline would likely include estimated dates for issuance of a first draft of regulations and the number and duration of public comment periods. Under the CCPA, the California Office of the Attorney General (“CalAG”) held three public comment periods – 45, 15, and 15 days in length – and issued a first set of final regulations on August 14, 2020 (after the statutory deadline of July 1, 2020). The CPPA is required under the CPRA to issue final regulations by July 1, 2022, a deadline which it seemingly will not be able to meet given the requirement for public comment periods under California administrative law and other timing constraints with which it is currently presented.
CPPA Pre-Rulemaking Activities
The CPPA proposed its framework for the CPPA Rulemaking Process during the Board Meeting on September 7-8, 2021. The CPPA assumed rulemaking authority from CalAG on October 21, 2021, at which point it began the informal rulemaking process. During the informal rulemaking process, it sought preliminary public input on the following issues:
- cybersecurity audits and risk assessments;
- automated decision making;
- the agency’s audit authority;
- the right to correct inaccurate information;
- limiting the use of sensitive personal information;
- opt-out preference signals (as related to new rights under the CPRA);
- applicable standards for business’s determination that responding to a request to know exceeding 12 months is “impossible” or “would involve a disproportionate effort.”
The CPPA solicited preliminary public input from September 22, 2021 through November 8, 2021. The preliminary comment period has closed and public comments are available on the CPPA’s website.
The CPPA is authorized to issue regulations under both the current CCPA as well as the CPRA, which amends the CCPA and becomes operative, in large part, on Jan. 1, 2023.
Considering the significant mandate for regulations under CPRA—there are 22 enumerated areas (discussed further below) in which the CPRA mandates new regulations, compared to the original CCPA’s seven—the CPPA may only have time and resources to focus on new CPRA mandates. In any event, businesses should expect the CPRA regulations to be quite voluminous, with the page count likely numbering in the triple digits (in comparison, the CCPA regulations are 28 pages long).
Colorado AG Rulemaking Activities
In the press release, AG Weiser signaled significant engagement with and input from Coloradans and Colorado businesses in the coming months, including holding high-level conversations and town halls, posting a series of topics for informal input on its website, and soliciting responses in writing and at scheduled events. Following this more informal public input period, the AG will post a formal Notice of Proposed Rulemaking “by this Fall” which “will kick off a process of collecting verbal and written comments about the proposed rules and how they would operate from a range of stakeholders and other interested persons across Colorado.” According to the statement, the COAG expects to be in a position to adopt final rules around late January or February 2023. The CPA becomes effective July 1, 2023.
In his remarks, AG Weiser shared that rulemaking priorities will include:
- the process of providing consumer notice that provides consumers with the opportunity to fairly and freely approve or reject data sharing;
- “dark patterns,” which can unfairly mislead consumers on this issue;
- the process for consumers to engage and learn about their data profiles as well as to correct inaccurate data; and
- providing guidance on company auditing and data protection assessment procedures.
In order to promulgate these rules, the COAG has hired two assistant attorneys general to assist with rulemaking and enforcement. Paul Ohm, a Georgetown Law professor, is working part-time with the COAG to assist with the CPA rules.
Enumerated Mandated Regulations – CPRA vs. CPA
|California Privacy Rights Act||Colorado Privacy Act|
|The CPPA must assume rulemaking responsibilities for specifying record keeping requirements for businesses to ensure compliance. In addition, it must adopt, amend, and rescind, as appropriate, regulations for:
||The COAG must adopt rules: