Within the next two weeks, California Privacy Protection Agency (“Agency”) staff will prepare and submit a document package to the Office of Administrative Law (“OAL”) that includes the final text of the CPRA regulations along with the Final Statement of Reasons and responses to all public comments. Once received, the OAL will have 30 business days to review, recommend modifications, and ultimately approve or reject the package. Continue Reading CPPA Board Votes to Send Final CPRA Regs to the Office of Administrative Law
On November 3, 2022, the CCPA officially released the CPRA Modified Regulations (Modified Regs) for the expected 15-day comment period. The public comment period will end on November 21, 2022, and interested parties may submit written comments about the Modified Regs until 8AM Pacific Time on that date. This update came following a two-day meeting of the CPPA Board on October 28th and 29th, discussed here.
Following this comment period, the Modified Regs will have to be formally approved and sent to the Office of Administrative Law (OAL), which will also review and approve or reject the regulations. Once approved by the OAL, the regulations will become final.
For more information on the impact of the Modified Regs or the comment period, contact the authors or your relationship partner at the firm. CPW will continue to cover the CPRA rulemaking process and other state privacy law developments, as well as federal legislative and regulatory efforts.
At a two-day meeting that took place on October 28th and 29th, the CPPA considered the CPRA Modified Regulations (Modified Regs) that were published on October 17th of this year. We analyze the initial proposed CPRA regulations here.
On the proposed changes of the Modified Regs, the CPPA Board (the Board) considered clarifying amendments while maintaining the initial intent of the (i.e., no further substantive changes). There are three amendments of particular importance that were discussed: Continue Reading The California Privacy Protection Agency (CPPA) Decides on a Roadmap for Revised California Privacy Rights Act (CPRA) Regulations
The California Privacy Protection Agency sent a Notice of Cancellation of Regular Meeting canceling its upcoming public meeting where it was scheduled to discuss (and possibly take action on) the Modified Text of Proposed Regulations (“Modified Regs”). The Modified Regs are now scheduled to be considered during the October 28-29, 2022 public meeting, further delaying the Agency’s rulemaking.
On October 17, 2022, the California Privacy Protection Agency (“CPPA” or “Agency”) published Modified Text of Proposed Regulations (“Modified Regs”) and Explanation of Modified Text of Proposed Regulations (“Explanation of Modified Regs”). The CPPA review of the Modified Regs has been postponed and is now scheduled to be considered during the October 28-29, 2022 public meeting.
Recall that earlier this year, on May 27, 2022, the CPPA published the first draft of the proposed CPRA Regs and initial statement of reasons. The Agency commenced the formal rulemaking process to adopt the Regs on July 8, 2022, and the 45-day public comment period closed on August 23, 2022. The comments submitted in response to the first draft of the Regs are available here. Continue Reading Revised Proposed CPRA Regs To Be Considered At October 28, 2022 Meeting
This blog post is a bonus supplement to our quarterly Artificial Intelligence and Biometric Privacy Quarterly Review Newsletter. Be on the lookout for our Q3 Newsletter!
We are quickly approaching the Jan. 1, 2023 operative date of most of the provisions of the California Privacy Rights Act (“CPRA), which, as most of us know by now, substantially amends the CCPA. Under the CPRA, the California Privacy Protection Agency (“CPPA” or “Agency”) has a mandate to issue regulations on a number of specific topics. With just fewer than three months to go until January 1, regulations are not even close to being finalized. The Agency released the first draft of proposed regulations on May 24, and the first public comment period ended on August 23. In a meeting held by the CPPA on Friday, September 23, the Agency gave no concrete sense of timing or any comments on topics, such as those discussed in this post, for which regulations have not even been issued. This has left many businesses feeling left in the lurch, uncertain of what to do. Continue Reading Profiling and Automated Decision-Making: How to Prepare in the Absence of Draft CPRA Regulations
On Friday, September 23, the California Privacy Protection Agency (CCPA) held a Board meeting about various CPPA administrative activities. Continue Reading Update on the California Privacy Protection Agency: Still No Date Certain for the CPRA Regulations
In an unexpected move, the California Privacy Protection Agency (the “Agency”) issued draft regulations (“Regs”) mandated by the California Privacy Rights Act (“CPRA”), on Friday May 27 (a day before the Memorial Day weekend, and a day after a public stakeholder meeting in which it gave no indication that the Regs would be issued the next day). The Agency has placed consideration of the draft Regs on its Board’s June 8 meeting agenda. If approved, they will then be subject to public comments, which must be considered before the Regs can be finalized.
The Regs contain detailed guidance regarding many highly-anticipated topics, such as:
- Global Privacy Control requirements—or the “Opt-Out Preference Signal” ( “OOPS”) under the Regs—but unfortunately no technical specifications with respect to implementation of the OOPS. The Agency interprets the CPRA to make the opt-out link optional if OOPS are “frictionlessly” implemented, but not to make honoring OOPs optional if an opt-out link is provided.
- General principles regarding the handling of consumer requests.
- Detailed requirements regarding implementation of the rights to access, delete, correction, limit (the use of my sensitive information), and do not sell / do not share.
- Notices to consumers, including special notice requirements for job applicants, employees and contractors.
- Financial incentive notice requirements are relaxed.
- Service provider, contractor, and third party agreements and obligations.
- Complaint and enforcement procedures.
While the Regs leave various hot-button issues for a later draft (like automated decision-making, profiling, cybersecurity audits, and risk assessments), they certainly provide detailed guidance on the issues addressed. Even so, implementation will present many challenges for businesses, service providers, contractors, and even third-parties. As a result, we can expect spirited debate and comment from industry and consumer protection groups alike before the draft Regs are finalized.
Click here to read an overview of some of the most notable features of the draft Regs.
The California Privacy Protection Agency (“CPPA”) will host its next public meeting on Thursday, May 26, 2022 at 11AM PT. Members of the public may attend in person or virtually by following these instructions. CPPA Director Ashkan Soltani will provide an update on the CPPA’s hiring, budget, and rulemaking activities. Importantly, subcommittees will provide more information on the course of action for the upcoming rulemaking process as well as information regarding the anticipated rulemaking draft.
In February, the CPPA expressed its strategy to host informational preliminary hearings in order to ensure that the rules they adopt adequately address the most prevalent issues in consumer privacy, and anticipated that the rulemaking process, including formal period public hearings, would commence in the third quarter and continue into the fourth quarter of 2022. Earlier this month, the CPPA held a pre-rulemaking stakeholder session during which it heard public comments on automated decision-making, with most comments focusing on: (1) the type of automated decision-making activities that should be regulated; (2) consumer rights relating to the use of automated decision-making technology; (3) consumer opt-out rights relating to automated decision-making; and (4) alignment with the General Data Protection Regulation and other regulatory schemes.
Although final Regulations are not anticipated until sometime in early 2023, the California Privacy Rights Act amendments to the California Privacy Protection Act (“CCPA”) will go into effect in January 2023. Businesses should therefore monitor CPPA rulemaking activities to ensure they are aware of how the lead CCPA enforcement agency interprets the CCPA’s requirements, and to glean insight into the agency’s potential enforcement priorities
On Friday, Feb. 18, California Assemblymember Evan Low (D) introduced two bills (AB 2871 and AB 2891) that propose to extend the CCPA’s HR and B2B data exemptions, one through Dec. 31, 2026 and the other indefinitely. These proposed amendments were introduced just 10 months prior to the main provisions of the California Privacy Rights Act (“CPRA”) coming into effect, particularly the CPRA’s consequential provisions which cause HR and B2B data – specifically, personal information of HR data subjects (e.g., employees, applicants and independent contractors) and collected in certain B2B transactions and communications – to become subject to the full scope of California’s omnibus privacy law. It’s not yet clear whether either of these bills has widespread support. However, if either does pass, it is almost certain that the legislature’s authority to do so will be challenged by privacy advocates on a constitutional basis, as we analyze below. Organizations for now should therefore proceed as if the HR and B2B will be in full scope of the CPRA starting Jan. 1, 2023.
The California Constitution prescribes when the legislature can amend a statute that was passed through a ballot referendum (the CPRA was approved as a referendum by California voters on Election Day 2020). In particular, Article II, Section 10(c) of the California Constitution states that “The Legislature may amend or repeal an initiative statute by another statute that becomes effective only when approved by the electors unless the initiative statute permits amendment or repeal without the electors’ approval.” The initiative statute – here the CPRA – does permit amendment or repeal without elector approval,
provided that such amendments are consistent with and further the purpose and intent of this Act as set forth in Section 3, including amendments to the exemptions in Section 1798.145 if the laws upon which the exemptions are based are amended to enhance privacy and are consistent with and further the purposes and intent of this Act. CPRA, Section 25(a).
The purpose and intent of the CPRA as to the extension of the HR and B2B exemption is stated directly: “It is the purpose and intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023.” It’s not clear whether further extending the exemption as these proposed bills would are consistent with this purpose and intent, or if doing so could arguably serve to enhance privacy, especially in the absence of corresponding efforts to establish statutory privacy protections for these types of data subjects. Notably, the preamble of the CPRA additionally states, “The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses.” This additional proviso leaves open the door for legislation that treats at least HR data subjects somewhat differently than traditional consumers.
These amendments will almost certainly tee up a challenge. Even if one or both of the amendments gain steam, organizations should be reluctant to forego preparation for compliance with the CPRA as it relates to HR and B2B data because of the potential challenges these bills could face even if passed into law.