California Privacy Protection Agency Approves CPRA Regulations and Takes Steps to Promulgate Future Rulemaking on Additional Topics | WilmerHale


On Friday, February 3, 2023, the California Privacy Protection Agency (CPPA) held a public board meeting at which it voted unanimously to (1) approve the final text of the California Privacy Rights Act (CPRA) regulations and (2) issue an invitation for preliminary public comments regarding proposed rulemaking on cybersecurity audits, risk assessments, and automated decision making.

These actions will impact companies both directly subject to California’s regulatory authority and those that operate in other states that may be influenced by California regulators’ approach. This rulemaking also comes after the California Attorney General’s (AG) office recently released a series of enforcement examples where the agency conducted an investigative sweep of some mobile applications for compliance with the existing provisions of the California Consumer Privacy Act (CCPA). Though the CPPA and the California AG cannot enforce the CPPA until July 1, 2023 and only then for violations that occur after this date, businesses should be aware that the CCPA is still in effect and being enforced. Businesses should also note that the CPRA does not have a statutory cure period and will have two regulators enforcing the law, which further increases the relevant compliance risk. Companies that were waiting until the CPRA regulations became final before taking additional compliance steps now have final instructions on what is required under the law.  

We have highlighted the key takeaways from the public meeting below. We are happy to answer any CPRA compliance questions you may have. 

1. Approval of CPRA Regulations: CPPA voted unanimously to approve the final text of the CPRA regulations. The final text is substantively identical to the previous version of the regulations circulated in November 2022. As we have previously written, the CPRA regulations add numerous requirements on top of the already-in-effect California Consumer Privacy Act (CCPA) regulations, particularly in such areas as dark patterns, opt-out preference signals, notice, requests to correct and limit, third-party contracts, targeted advertising, and enforcement. 

The regulations will now move to the California Office of Administrative Law (OAL) for approval. The CPPA expects to send its rulemaking package to OAL within two weeks. From there, OAL will have 30 business days to review and approve the regulations. The CPPA has estimated that the earliest the CPRA regulations could go into effect would be April 2023. 

2. Invitation for Preliminary Comments on Proposed Rulemaking for Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking: CPPA also voted unanimously to issue an invitation for preliminary public comments on potential rules regarding cybersecurity audits, risk assessments, and automated decisionmaking — all areas of the CPPA’s rulemaking authority that were added by the CPRA. 

Generally speaking, the CPPA appears interested in learning more about how organizations are already tackling the challenges of cybersecurity audits, risk assessments, and automated decisionmaking, whether in the context of other legal compliance regimes or general best practices. 

The invitation indicates that the CPPA is particularly interested in learning more about the following:

  • Cybersecurity Audits: 
    • Current laws that require organizations to conduct cybersecurity audits and the processes that organizations have developed to comply with these laws.
    • Other cybersecurity audits, assessments, evaluations, and best practices that organization apply, and how these models might be relevant in the CPRA context.
    • Steps that the CPPA could take to ensure that these cybersecurity audits are “thorough and independent.” 
  • Risk Assessments: 
    • Current laws that require organizations to conduct information-processing risk assessments and the processes that organizations have developed to comply with these laws.
    • Types of harms that “particular individuals or communities [are] likely to experience from a business’s processing of personal information.”
    • With regards to determining what types of processing present significant risks to consumer privacy or security, the benefits and drawbacks of the CPPA adopting the approach of the European Data Protection Board’s Guidelines on Data Protection Impact Assessment, and alternative models or factors that the Agency might consider.
    • The minimum content that these risk assessments should include, including whether the CPPA should adopt the approaches in the EU GDPR and/or Colorado Privacy Act. 
  • Automated Decisionmaking:
    • Current laws that “requir[e] access and/or opt-out rights in the context of automated decisionmaking,” as well as other frameworks and best practices in this space. Specifically, the CPPA expressed an interest in how “automated decisionmaking technology” is defined in other laws and frameworks. 
    • Organizations’ current uses of automated decisionmaking technologies, including the contexts in which they are deployed.
    • Consumers’ experiences and concerns with automated decisionmaking technologies.
    • The prevalence of algorithmic discrimination generally, as well as whether the level of such discrimination varies across sectors.
    • How access and opt-out rights regarding automated decisionmaking technologies might help to address algorithmic discrimination, including how such rights should be implemented (e.g., what information should be included in response to an access request).

3. CPRA Regulations as “Work in Progress”: CPPA emphasized that the CPRA regulations — even after finalization of the current text — would continue to be a work in progress. Board members noted that some public comments not addressed in the current iteration of the regulations would be revisited for future iterations. Specifically, Board member Lydia de la Torre noted her interest in revisiting Section 7002 of the regulations (“Restrictions on the Collection and Use of Personal Information”) to incorporate more secondary use carveouts, such as for journalists and statistical uses of data. Similarly, board member Vinhcent Le expressed an interest in revisiting topics such as dark patterns and employee benefits.

4. Public Comments: Contributions from the public were relatively limited during this meeting, with only three individuals offering comments on the final text. Most notably, one commenter highlighted the need for the CPPA to issue practical guidance for businesses that will be newly subject to California privacy laws with the new regulations, specifically highlighting the example of employers that do not process consumer information but do process employee information.