Covered entities under the California Consumer Privacy Act are on the cusp of long-awaited legal certainty regarding updated compliance efforts. The California Privacy Protection Agency Board voted 4-0 at its latest meeting to finalize its first set of proposed California Privacy Rights Act regulations.
The final rulemaking package, which consists of the proposed regulations and a draft final statement of reasons from the CPPA, will soon be sent to the California Office of Administrative Law for review and approval. Barring setbacks during the OAL's 30-day review window or other unforeseen circumstances, the agency said in its FAQ it expects the final regulations to take effect sometime in April ahead of CPRA enforcement beginning July 1.
The proposed final rules take on a range of regulatory topics the CPPA considered and sought extensive feedback on last year. Topics covered include data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling.
The rulemaking process on the first set of regulations was initially scheduled for completion July 1, 2022, but the CPPA announced the process would take longer due to limited staffing and resources as the new agency stood itself up.
"We might be perceived as being slow, but I very much doubt there is another agency out there in California that has put together the package we have put forward within the timeliness we have done it," CPPA Board Member Lydia de la Torre, CIPP/US, said. "That really goes to highlight the professionalism and dedication of everybody on staff that has dedicated time to these."
Within the proposed final regulations is a discretionary enforcement reprieve. The agency added a rule to allow itself to "consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements."
Orrick, Herrington & Sutcliffe Partner Shannon Yavorsky said companies were happy to see the proposed final regulations approaching the finish line despite "hoping for certainty of the final regulations a bit sooner." Hogan Lovells Senior Associate Julian Flamant, CIPP/E, added the extended rulemaking process has been "frustrating for businesses seeking to comply in good faith" because implementation of most CPRA concepts "have only been made clear in the regulations."
In addition to finalizing the initial set of proposed regulations, the CPPA used its latest meeting to initiate pre-rulemaking activities on its next set of CPRA regulations covering cybersecurity audits, risk assessments and automated decision-making.
"The nature of rulemaking is to be responsive to the public and businesses' needs and our statute explicitly orders us to do that," CPPA Board Chair Jennifer Urban said. "We will be regularly considering items for potential rulemaking. … It's important for us to keep that front of mind as we're meeting."
The final package
CPPA General Counsel Phillip Laird and Senior Privacy Counsel Lisa Kim, CIPP/US, presented to the board a detailed outline of what comprises the package.
The proposed final regulations received no substantive changes from the modifications discussed and adopted at the CPPA board's October meetings. Laird said the agency received 50 comments during the final 15-day public comment period, but the further changes were viewed as unnecessary or capable of being addressed after rules were finalized.
Kim explained the draft final statement of reasons "explains the purpose or benefit of each regulation, including why the regulation is necessary." The statement includes two appendices that provide the agency's responses to all 1,500 pages of public comments and questions made throughout the rulemaking process.
Meeting expectations
The agency's tedious development of the first regulations provided privacy professionals with a view into the evolution of some regulations and omissions related to others.
Orrick's Yavorsky said attempted harmonization between the CCPA and other comprehensive state privacy laws is reflected in the proposed final regulations, which carry a main focus to "clarify the law rather than create new obligations." There's also influence from recent CCPA and EU General Data Protection Regulation enforcement baked into the rules.
"Multiple amendments either directly mention — in the case of supporting (Global Privacy Control) for opt-out signal compliance — recent enforcement," Yavorsky said. "Others indirectly — in the case of specificity of disclosures shaping consumer expectations — allude to recent enforcement decisions."
Clarifications on proposed rules for the recognition of user consent were not as clear as anticipated, according to Hogan Lovells' Flamant, who would like to see OAL "heavily" scrutinize the current language regarding a perceived choice between providing opt-out links or recognizing GPC signals.
"The CPPA stated in its initial and final statements of reasons that businesses' view of having a choice misinterprets the CPRA requirement," Flamant said. "While the CPRA does authorize the CPPA to establish technical specifications for the opt-out, it does not seem to follow that the regulations could contravene the statute."
Flamant also alluded to disappointment with the certain topics going unaddressed in the proposed final regulations, including employee data and the distinction between service providers and contractors.