The CPRA Digest: What's Next for Rulemaking

On November 3, 2020, Californians voted to pass Proposition 24, expanding and modifying the California Consumer Privacy Act (“CCPA”), which came into force on January 1, 2020. The new California Privacy Rights Act (“CPRA”) supersedes the CCPA and will be operative on January 1, 2023 (with a look-back period starting January 1, 2022). Until that time, the CCPA as currently written remains in effect. As we learned during the lead up to the CCPA, the time period to prepare for this type of comprehensive and complex legislation passes quickly, and companies need to begin their CPRA preparations sooner rather than later. In this installment, we take a quick look at the current state of the rulemaking activity for the CPRA.

In this regard, the newly established California Privacy Protection Agency ("Agency") is required to update existing regulations for the CCPA and adopt new ones to address the amendments enacted by the CPRA. As part of this process, the Agency published its initial invitation for comments on its future rulemaking in September. Although comments on all topics were welcomed, the Agency sought input on eight specific topics of interest to it and its rulemaking efforts:

• Processing that presents a significant risk to consumers’ privacy or security: cybersecurity audits and risk assessments performed by businesses
• Automated decisionmaking
• Audits performed by the Agency
• Consumers’ right to delete, right to correct, and right to know
• Consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information
• Consumers’ rights to limit the use and disclosure of sensitive personal information
• Information to be provided in response to a consumer request to know (specific pieces of information)
• Definitions and categories

On December 14, the Agency made the nearly 900 pages of comments publicly available. The comments are not presented in a structured manner, but some general themes become evident after even a high level review:

• Industry positions were well represented with a majority of the comments coming from businesses or business associations. These included comments from advertising networks, large tech companies, financial and insurance businesses, and a host of other businesses.
• Many of the commentators are concerned with the obligations regarding automated decisionmaking and stressed the need to carefully construct regulations in this space to avoid unintended consequences. This is not surprising, considering the difficulty many organizations had in understanding and applying the rules regarding automated decision-making under the GDPR and will be an important area for clear guidance.
• A number of comments also expressed concern with the scope of the cybersecurity audits required when processing data that “presents a significant risk to consumers’ privacy or security”.
• Although outside the subject matters of interest identified by the Agency, many commentators urged the Agency to harmonize the pending regulations with other privacy regimes, both in the US (e. g., Colorado and Virginia) and abroad (e.g., GDPR and the UK GDPR).
• The obligations to provide a universal opt-out were also a topic of concern from a logistics/technical stand point with many commentators urging the adoption of an open standard that helps minimize the burdens of compliance, and work to avoid a multiplicity of standards.

In terms of next steps, the Agency is still in the in preliminary information-gathering phase of its work. The Agency plans to schedule “informational hearings to gather information and obtain further preliminary public input.” But, those hearings are not on the calendar yet.

The final phase of the process, formal rulemaking activities, will take place in the coming year with the clock quickly ticking down to January 1, 2023. During that final stretch, formal regulations will be proposed, commented on, and crystalized—the end game for preparing for compliance with the CPRA.

Although it is not clear what impact these comments will have on the content of the updated regulations, the sheer volume demonstrates the massive public interest in these next rounds of rulemaking and the need for clear regulations that help companies interpret and address the new and complicated requirements of the CPRA rather than layering on additional and/or stricter requirements as part of this process. Organizations should track these activities, particularly information as it is released regarding the proposed timing of next steps. Companies should not wait, however, to kick off their CPRA preparation as doing so will likely not provide them with sufficient time to make all necessary changes needed to comply with the CPRA. Rather, organizations should move forward with these efforts but be prepared to adapt current efforts where necessary to address updated regulations as they are released and adopted.

If you have any questions about this installment, the CPRA, the CCPA or compliance with data privacy and security regulations in the US or the rest of the world, please contact a member of the BCLP Global Data Privacy & Security Team. Be sure also to follow our CPRA Digest as we continue to examine other key aspects of the CPRA and steps that companies can undertake to begin addressing them. Our prior alerts are available here.