As we previously reported, on March 8, 2024 the California Privacy Protection Agency (CPPA) Board voted to advance draft regulations toward official rulemaking. 

New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023.  In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward with amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data-driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk).  In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which would be subject to a further Board vote after reviewing the rule-making package.  The staff was also authorized to make further edits to the draft regulations to clarify the text or conform with the law.  Although the motions did not set a firm date for staff to complete that work, the discussions contemplated that it would be done by the July 2024 Board meeting at the latest.

The staff has met that timeline and The CPPA Board is now scheduled to consider that process at its July 16 meeting.  The package documents are here:

Interestingly, although not part of what the Board previously advanced, the draft rules on cybersecurity audits (Article 9) are included. 

PrivacyWorld will report back on what advances out of the Board meeting.