Privacy regulators in California and Colorado recently made announcements regarding rulemaking for their respective state privacy laws. Last week, the California Privacy Protection Agency (“CPPA”) announced that it will hold its next public meeting this Thursday, February 17, during which it will discuss updates on the rulemaking process, including a timeline. On January 28, Colorado Attorney General Phil Weiser publicly announced the intent of the Colorado Office of the Attorney General (“COAG”) to carry out rulemaking activities to implement the Colorado Privacy Act (“CPA”), providing an indication of focus areas and a rough timeline. We discuss each of these developments in further detail below.

CPPA Next Public Meeting: Thursday, February 17 at 9:30 AM PT

The CPPA announced via an email update that its next public meeting will be held Thursday, February 17 at which Executive Director, Ashkan Soltani, will provide an update regarding the rulemaking process. According to the meeting’s agenda, we will learn about, among other things, the agency’s forthcoming informational hearings and a timeline for its rulemaking process. Given administrative and statutory requirements, a timeline would likely include estimated dates for issuance of a first draft of regulations and the number and duration of public comment periods. Under the CCPA, the California Office of the Attorney General (“CalAG”) held three public comment periods – 45, 15, and 15 days in length – and issued a first set of final regulations on August 14, 2020 (after the statutory deadline of July 1, 2020). The CPPA is required under the CPRA to issue final regulations by July 1, 2022, a deadline which it seemingly will not be able to meet given the requirement for public comment periods under California administrative law and other timing constraints with which it is currently presented.

CPPA Pre-Rulemaking Activities

The CPPA proposed its framework for the CPPA Rulemaking Process during the Board Meeting on September 7-8, 2021.  The CPPA assumed rulemaking authority from CalAG on October 21, 2021, at which point it began the informal rulemaking process. During the informal rulemaking process, it sought preliminary public input on the following issues:

  • cybersecurity audits and risk assessments;
  • automated decision making;
  • the agency’s audit authority;
  • the right to correct inaccurate information;
  • limiting the use of sensitive personal information;
  • opt-out preference signals (as related to new rights under the CPRA);
  • applicable standards for business’s determination that responding to a request to know exceeding 12 months is “impossible” or “would involve a disproportionate effort.”

The CPPA solicited preliminary public input from September 22, 2021 through November 8, 2021. The preliminary comment period has closed and public comments are available on the CPPA’s website.

The CPPA is authorized to issue regulations under both the current CCPA as well as the CPRA, which amends the CCPA and becomes operative, in large part, on Jan. 1, 2023.

Considering the significant mandate for regulations under CPRA—there are 22 enumerated areas (discussed further below) in which the CPRA mandates new regulations, compared to the original CCPA’s seven—the CPPA may only have time and resources to focus on new CPRA mandates. In any event, businesses should expect the CPRA regulations to be quite voluminous, with the page count likely numbering in the triple digits (in comparison, the CCPA regulations are 28 pages long).

Colorado AG Rulemaking Activities

In the press release, AG Weiser signaled significant engagement with and input from Coloradans and Colorado businesses in the coming months, including holding high-level conversations and town halls, posting a series of topics for informal input on its website, and soliciting responses in writing and at scheduled events. Following this more informal public input period, the AG will post a formal Notice of Proposed Rulemaking “by this Fall” which “will kick off a process of collecting verbal and written comments about the proposed rules and how they would operate from a range of stakeholders and other interested persons across Colorado.” According to the statement, the COAG expects to be in a position to adopt final rules around late January or February 2023. The CPA becomes effective July 1, 2023.

In his remarks, AG Weiser shared that rulemaking priorities will include:

  • the process of providing consumer notice that provides consumers with the opportunity to fairly and freely approve or reject data sharing;
  • “dark patterns,” which can unfairly mislead consumers on this issue;
  • the process for consumers to engage and learn about their data profiles as well as to correct inaccurate data; and
  • providing guidance on company auditing and data protection assessment procedures.

In order to promulgate these rules, the COAG has hired two assistant attorneys general to assist with rulemaking and enforcement. Paul Ohm, a Georgetown Law professor, is working part-time with the COAG to assist with the CPA rules.

Enumerated Mandated Regulations – CPRA vs. CPA

California Privacy Rights Act Colorado Privacy Act
The CPPA must assume rulemaking responsibilities for specifying record keeping requirements for businesses to ensure compliance.  In addition, it must adopt, amend, and rescind, as appropriate, regulations for:

  • Updating or adding categories of personal information (as enumerated under, sensitive personal information, and “deidentified” and “unique identifier” to account for changes in technology, data collection, and other areas of interest.
  • Establishing necessary exceptions to comply with state or federal law, including but not limited to, laws regarding trade secrets and IP rights.
  • Establishing rules and procedures for submitting and complying with consumer’s opt-out of sale or sharing of personal information, and developing a recognizable opt-out logo or button to raise awareness among consumers.
  • Adjusting monetary thresholds to reflect any increase in the Consumer Price Index.
  • Establishing rules, procedures, and exceptions to ensure consumers notices are understandable, accessible, and available in the language primarily used to interact with the consumer.
  • Establishing rules and procedures for furthering consumers’ rights to delete, amend and know, with the goal of minimizing administrative burden to consumers.
  • Establishing the frequency and circumstances under which consumers may request to correct their personal information.
  • The applicable standards for business’s determination that responding to a request to know exceeding 12 months is “impossible” or “would involve a disproportionate effort.”
  • Clarifying permissible business purposes for using consumers’ personal information.
  • Clarifying permissible business purposes for which service providers and contractors may use consumers’ personal information received pursuant to a written contract with a business.
  • Defining “intentionally interacts,” “precise geolocation,” “specific pieces of information obtained from the consumer;” and “law enforcement agency-approved investigation.”
  • Requiring businesses whose processing of consumers’ personal information present significant risk to consumers’ data privacy and security to, among others, perform an annual cybersecurity audit.
  • Requirements governing access and opt-out rights regarding business’ use of automated decision making technology.
  • Clarifying the scope and process for the exercise of the CPPA’s audit authority.
  • Defining the requirements and technical specifications for an opt-out preference signal, and how a business should comply with and respond to such opt-out preference signals.
  • Harmonizing the CCPA/CPRA with the Insurance Code provisions regarding consumer privacy.
  • Harmonizing regulations governing opt-out mechanisms, notices to consumers, and other operational mechanisms.
The COAG must adopt rules:

  • Clarifying technical specifications for one or more universal opt-out mechanisms through which consumers may communicate their choice to opt out of processing of personal data for targeted advertising or sale. The specifications must, among others, require the controller to inform the consumer about their opt-out choices and adopt a mechanism that is consumer-friendly, clearly described and easy to use by the average consumer.
  • Governing the process of issuing opinion letters and interpretive guidance to develop an operational framework for businesses by January 1, 2025.