The California Privacy Protection Agency, established by the California Privacy Rights Act, is taking shape. It hired Ashkan Soltani as its Executive Director Oct. 4 and is expected to hire a general counsel and deputy director of administration soon. The agency is also moving forward with its rulemaking responsibilities, engaging in preliminary rulemaking activities as it considers what new regulations or amendments to the regulations are appropriate. Adopting final CPRA regulations by the July 1, 2022 statutory deadline remains a challenging task given the scope and complexity of the areas to be regulated and the new agency’s limited resources.

Meeting the July 1 deadline

Per Section 1798.185(d) of the California Consumer Privacy Act (as amended by the CPRA), the “timeline” for adopting final regulations required by the CPRA is July 1, 2022. As detailed in the CPPA Board’s initial meeting, California’s rulemaking process requires significant work, both before formal rulemaking can begin and during the formal rulemaking process. There also are required comment periods and interactions with other agencies that impact the rulemaking timeline. For context, the CCPA rulemaking process took roughly 20 months — preliminary rulemaking activities started in January 2019, the notice of proposed rulemaking was filed nine months later in October 2019 and the regulations were approved in August 2020.

At the board’s Nov. 15 meeting, the rulemaking process subcommittee provided an update outlining the challenges for the agency in meeting this date. In addition to noting the agency’s limited resources  (Soltani is the only full-time employee) and the complexity of the topics involved in the rulemaking, it identified the potential need to include a standardized regulatory impact assessment in its Notice of Proposed Rulemaking package. A SRIA is required when an agency is promulgating a “major regulation” – where the economic impact is estimated to exceed $50 million. It seems likely the CPRA will meet this threshold given the new topics it identifies for regulation.

If a SRIA is required, it will impact the rulemaking timeline. A vendor will need to be chosen through an open bidding process to prepare the document and the SRIA must be submitted to the Department of Finance for review at least 60 days prior to filing the Notice of Proposed Rulemaking. With roughly seven months until the July 1 deadline, the time available for the rulemaking process is already limited, especially considering the Office of Administrative Law has 30 business days to review the Final Rulemaking package.

The subcommittee proposed a number of potential solutions to address the time constraints, including staggered rulemaking or delaying enforcement deadlines. It also outlined the emergency rulemaking process for the board’s consideration and the “emergency” standard the agency would need to meet. With emergency rulemaking, the timelines for notice, comment, and OAL review are significantly abbreviated, minimizing the opportunity for public input– an acknowledged downside. Emergency regulations have a limited effective period, but can become permanent if the agency timely adopts them through the regular rulemaking process.

The board discussed opportunities to obtain public input if the emergency rulemaking process is used. There can be public participation in the drafting process prior to the emergency Notice of Rulemaking, and also during the regular rulemaking process required to adopt final regulations.

The board did not decide on a path forward, but it seems likely one or more of the options presented will come into play given the compressed rulemaking timeline.

Preliminary rulemaking activities

Section 1798.185(a) of the CCPA (as amended by the CPRA), identifies 22 areas for regulation. IAPP Sept. 7-8 and November materials.

To inform its development of new regulations, the agency issued an invitation for preliminary comments, specifically asking about “new and undecided issues” not addressed by the existing CCPA regulations. Issues identified by the agency included:

  • Cybersecurity audits and risk assessments
  • Automated decision making
  • The agency’s audit authority
  • The right to correct inaccurate information
  • Limiting the use of sensitive personal information
  • Opt-out preference signals (relative to the new rights under the CPRA)
  • The applicable standard for a business’s determination that responding to a request to know beyond 12 months would be “impossible” or “would involve a disproportionate effort”

The agency received “several dozen” comments in response to this invitation that are being reviewed by the drafting subcommittees. Informational hearings also are being planned.  

Agency staff

In addition to Soltani, the agency has hired a retired annuitant, Brian Soublet, on a part-time basis who is acting as interim general counsel. Soublet is formerly the Deputy Director and Chief Counsel for the California Department of Motor Vehicles and has experience with rulemaking. The Office of the Attorney General also is providing legal and operational support as the agency works to meet its staffing needs.

The agency is reviewing applications submitted for the general counsel and chief deputy director of administration positions.

Looking ahead

The board has not scheduled its next meeting. We will continue to monitor the agency’s work and how it plans to address the compressed rulemaking timeline.

Note: Webcasts for the CPPA Board meetings, along with the agenda, meeting materials and meeting minutes, can be accessed on its website. The agency also has a separate regulations page for its rulemaking activities.

Photo by Humberto Portillo on Unsplash