The California Privacy Protection Agency Board outlined a proposed course of action for the upcoming California Privacy Rights Act rulemaking process, addressing what will and will not be anticipated areas of focus. The board did not discuss the quickly approaching July 1 target date for finalizing regulations.

The CPRA takes effect Jan. 1, 2023, and provides for regulations to be finalized by July 1, allowing for a six-month compliance window. CPPA Executive Director Ashkan Soltani indicated during a public meeting earlier this year that completion of the rulemaking process will go “somewhat past the July 1 rulemaking schedule in the statute.”  

The issue was top of mind for representatives of the business community who spoke during public comment during the board's May 26 meeting.

President of the California Hispanic Chambers of Commerce Julian Canete said the “lack of certainty around timing and scope of the draft is a real challenge.” He said the organization requests the agency formally extend the July 1 date and enforcement deadline “so small businesses have ample time to get feedback and prepare for compliance.”

“With only six weeks left, we aren’t aware of any such dealings or actions on this issue,” he said. “These regulations are too important to rush.”  

Public Policy Manager for the California Asian Pacific Chamber of Commerce Andrea Cao expressed concerns over the uncertainty of the regulations and their potential “unintended consequences.”

“We have not heard anything about the actual scope of the regulations nor the costs that will need to be shouldered by businesses,” she said, noting the regulations will affect companies of all sizes. “What is the agency’s plan to address the July 1 deadline, other than missing it?”

While, the board did not discuss extending the July 1 date it did note enforcement and agency audit rights as areas of focus within the draft rules, as well as explanations of the CPRA’s requirements on avoiding dark patterns.

The upcoming draft regulations will not include guidance on cybersecurity audits, privacy risk assessments, or automated decision-making technologies. Board member Vinhcent Le said the topics “require more work” and could be discussed and released within a future rulemaking package.

So what can the public expect for the upcoming rulemaking process?

A notice of proposed rulemaking will be filed on a yet to be determined date, and the draft rules will be released to the board and the public. At the time, a public comment period of at least 45 days will begin, with several board meetings and public hearings anticipated before the board discusses and submits a final rulemaking package. Board members expressed a desire to digest the proposed rules and discuss them publicly before the public comment period ends, so members of the public can understand where the board is coming from.

Updating the board on agency activities, Soltani said he is “incredibly proud” of hiring progress, announcing Maureen Mahoney, former Consumer Reports senior policy analyst, will join the board as deputy director of policy and legislation. The agency has also brought on key human resources and legal staff, he said, and is recruiting for legal analysts, law clerks, administrative staff, and more. A proposed 2022/23 budget, anticipated to be passed next month, requests 34 positions “to satisfy obligations with a focus on rulemaking and public awareness." 

Photo by Steven Pahel on Unsplash