New rules and obligations under the California Consumer Privacy Act have reached the finish line. The California Privacy Protection Agency announced its first California Privacy Rights Act rulemaking package was approved by the California Office of Administrative Law following a review.
The finalized rules contain no substantive changes to the final draft submitted by the CPPA to the OAL in February. The first rulemaking package addresses regulations concerning data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling.
"I'm incredibly impressed with the team and thankful for the Board's thoughtful guidance," CPPA Executive Director Ashkan Soltani said in a statement. "With the regulations in place, we can now redouble our efforts to promote public awareness of consumers' rights and businesses' responsibilities under the law to better ensure that these privacy rights are secured."
In its press release, the agency indicated the regulations "provide clarity and specificity to implement" changes to the CCPA regulations necessitated by the CPRA. It added the final rules "place the consumer in a position where they can knowingly and freely negotiate with a business over the business's use of the consumer's personal information."
More CPPA insights into the final regulations will come to light at the IAPP Global Privacy Summit 2023 in Washington, D.C., 5 April, as Soltani joins California Supervising Deputy Attorney General Stacey Schesser, CIPP/US, for a discussion on CCPA enforcement.
The finalization is a culmination of a rulemaking process the CPPA commenced 8 July 2022, after originally scheduling its completion for 1 July 2022. The agency formally announced an extended delay to its process 23 Feb. 2022, citing insufficient staff and resources would slow its work.
The CPPA Board had its first-ever meeting 14 June 2021, while Soltani was appointed executive director 4 Oct. 2021. The agency added relevant personnel on a rolling basis — and lost a board member — while executing its rulemaking procedure.
"This is a major accomplishment, and a significant step forward for Californians' consumer privacy. I'm deeply grateful to the Agency Board and staff for their tireless work on the regulations, and to the public for their robust engagement in the rulemaking process," CPPA Board Chair Jennifer Urban said in a statement.
Industry stakeholders criticized the agency's drawn-out rulemaking procedure despite the short-staffing acknowledgements. Concerns stemmed from the lack of time for companies to sufficiently implement final regulations ahead of CPRA enforcement becoming effective 1 July.
The agency partially addressed the enforcement concerns with a rule allowing the CPPA to "consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements."
Upon submission of the first rulemaking package to the OAL, the CPPA announced preliminary activities on its next rulemaking package. The second set of CPRA rules will address cybersecurity audits, risk assessments and automated decision-making.