There has been a stream of activity around California Privacy Rights Act rulemaking in recent months, yet privacy professionals have been working under a mostly undefined timeline for a formal rulemaking process. The California Privacy Protection Agency is now signaling that process is on the horizon.

The CPPA announced May 27 its plans to discuss CPRA draft regulations during its next board meeting June 8. That announcement subtly included the first cluster of proposed rules for the 22 topics the CPPA plans to address. The preliminary rules in the initial release maintain pre-existing California Consumer Privacy Act regulations, but they do modify certain provisions and propose new regulations.

While the formal rulemaking will require an official advanced notice, Future of Privacy Forum Senior Counsel Keir Lamont, CIPP/US, said the publishing of the drafts "could be thought of as an ‘advance notice' of proposed rulemaking." And past the element of surprise that came with the release, some view the process around CPRA regulations playing out in lockstep with that of CCPA rulemaking.

"So far, the process has been similar to the CCPA regulatory drafting process, and we expect more clarity as the comment periods and drafts start coming with more regularity," Privacy Rights Clearinghouse Policy Analyst Emory Roane said. "The agency has a deadline to make, so the first draft had to come sooner or later."

The deadline for final CPRA regulations is still up in the air. CPPA Executive Director Ashkan Soltani said in February the CPPA would go "somewhat past the July 1 rulemaking schedule" and the timetable for completion was tentatively expected "in Q3 or Q4."

First draft's hits and misses

Though there was not much shock value with what the agency covered in this first set of draft rules, there were a few eyebrow-raising proposals that are likely to be debated once stakeholder sessions commence in the formal rulemaking process. The most glaring mandate among the 66-page document was the agency proposing the recognition of global opt-out signals be mandatory despite the CPRA's text deeming them optional.

"The proposed regulations go into detail for how businesses that receive these signals must respond, but are presently light on guidance about the technical specifications and other requirements, such as notices to consumers, that such preference signals should adhere to," Lamont said.

The wheels began to turn toward this mandate last July when the California attorney general's office updated its CCPA FAQ to say that businesses must honor the Global Privacy Control, a signal delivered through a browser extension that automatically allows users to exercise their rights to opt out of the sale of their personal information. The document said covered businesses must treat GPC "as a valid consumer request to stop the sale of personal information."

Workarounds for the opt-out recognition mandate may still exist, according to Roane, from the CPPA's introduction of the term "frictionless manner." Roane said this addition will be contrary to the goal of easing consumer burdens and result in "fewer people knowing about and exercising rights."

"A business that includes 'Do Not Sell or Share My Personal Information' and 'Limit the Use of My Sensitive Personal Information' links on their homepage can 'display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal.' At the same time, a business can avoid including the links altogether by interpreting GPC signals in a 'frictionless manner,'" Roane said. "This 'friction' is wholly unnecessary, will discourage users from exercising privacy choices and will make the web worse for those that are using GPC signals."

There was no shortage of proposals around the handling and streamlining of user opt-out controls. The draft rules indicate consumer choice via cookie management tools do not meet standards to constitute an opt-out request or request to limit the use of sensitive personal data. In the advertising technology context, Red Clover Advisors founder and CEO Jodi Daniels, CIPP/US, said that proposal could be problematic because companies "actually collected more data just to honor a request." Daniels was receptive to the proposal for carrying user privacy controls under a single link.

"'Your Privacy Choices' or 'Your California Privacy Choices' is introduced to help avoid having multiple links that are not user-friendly or confusing," Daniels said. "Some of the ideas such as having a … button confirming that an opt-out of sale request will be a challenge for smaller companies and will force them to invest in privacy technologies. And I like the idea of just 'Your Privacy Choices' as that will play friendly with other state law requirements."

Other topics covered within the first draft include data collection and use requirements, user notice at collection, privacy policies, data processing agreements for service providers and contractors, and agency investigations and audits.

Covington & Burling Partner Lindsey Tonsager is among those who views much of what the CPPA drew up to be an overstep.

"The proposed draft regulations are sweeping and go far beyond the plain text of the law," Tonsager said. "From dictating the permitted color of 'yes' and 'no' buttons on websites to requiring stores to post signage at the store entrance or register identifying their wi-fi provider’s privacy practices, the draft rules would bring commerce on Main Streets across California and online to a grinding halt."

Key omissions

There is no timetable for addressing the remaining rulemaking topics that went unaddressed in the CPPA's first release. The next wave is expected to cover topics like cybersecurity audits, privacy risk assessments and automated decision making.

Even knowing there is more to come on addressed and unaddressed topics, there was a bit of head scratching over why some topics weren't prioritized in the first wave.

"I was a bit surprised they didn’t focus on children’s data given the recent movement we’ve seen overall in this space," Daniels said. "The next round is expected to include children’s information, risk assessments, audits and automated decision making technology. It will be interesting to see where they land as I think companies are going to continue to have questions on exactly what is expected regarding sale of data, cookie banners, and opt-outs."

While the wait on children's data may not directly correlate, the California State Assembly recently voted 72-0 in favor of Assembly Bill 2273, the California Age-Appropriate Design Code Act, which is now under Senate consideration. The CPPA would be charged with enforcement of the proposed act if it were to pass and the agency would oversee the establishment of the California Children’s Data Protection Taskforce. Formal and detailed CPRA rules on handling children's data could be paused until the fate of AB 2273 is decided.

Another potential reason for the CPPA passing over some topics could be the required focus and detail they pose.

"The Agency is already taking a pretty massive swing with this draft into some controversial, difficult areas of the CPRA," Roane said. "We're definitely not surprised the agency only chose a handful of topics. Its audit authority and the rules around algorithmic transparency I expect will take some more time to cook and involve more stakeholder sessions."

Short response window

The turnaround for consuming and formulating opinions on draft regulations prior to a potential discussion during the June 8 board meeting isn't ideal, but the CPPA did follow laws and procedures in doing so. According to the Bagley-Keene Open Meeting Act, which was explained by the CPPA in one of its first board meetings last June, agencies are required to post meeting agendas at least 10 days prior to a meeting. The CPPA's meeting agenda and the accompanying draft regulations, included as meeting materials, was posted 12 days ahead of the meeting.

The CPPA said in its agenda that a potential Notice of Proposed Rulemaking may be announced June 8, opening up further stakeholder consultation.

"Entering formal rulemaking will trigger a 45-day public comment period that will give relevant stakeholders and interest parties an opportunity to substantively weigh in," Lamont said.

In the immediate, Daniels expects stakeholders to "rise to the challenge" of digesting the draft rules ahead of the meeting. Roane said, "thoughtful responses" to the initial package in the short span will be difficult but possible, adding that ongoing preparations for a majority of organizations should set them in the right direction.

"We've been thinking about and talking about these issues for years and, for the most part, nothing here is coming out of left field," Roane said. "As we work through the draft there are some that jump to the top of the priority list, but we're confident we'll be able to respond to everything later in the process."

Photo by Humberto Portillo on Unsplash