California’s new enforcement agency, the Consumer Privacy Protection Agency (CPPA), recently held a meeting of its Board of Directors (Board), where they discussed the possible need to extend the July 1, 2022 CPRA rulemaking deadline and estimated that the updated privacy law, which takes effect in 2023, may require doubling the existing body of CCPA regulations. Key rulemaking topics discussed at the board meeting included rules covering new topics such as rules related to automated decision-making and the CPRA’s new data protection assessment and auditing requirements.

CPPA executive director and staff to be appointed

With a little over nine months until the CPRA regulations are supposed to be finalized, the CPPA is still working on making key staff and leadership appointments. The Board recently held an all-day closed session to review and discuss the applications for the executive director post, indicating it may be close to making a decision on that leadership post. In the preceding open session, members discussed the Chief Privacy Auditor role and the requirements for that new position. As for staff, the Board noted that the Attorney General’s (AG) office already has 10 people dedicated to CCPA-related work and discussed hiring five retired state employees that are attorneys for part-time positions.

Extension of the July 1, 2022 rules deadline

With the CPRA rulemaking deadline looming on July 1, 2022, Board members expressed concern about the CPPA’s ability to draft, revise, and finalize a large number of new rules in the time that remains. Based on this concern, the Board discussed asking the legislature for an extension, enacting temporary “emergency” regulations, or adding grace periods for compliance with the new rules. Emergency rules would allow the CPPA to introduce new rules on an expedited basis while extending the final rulemaking beyond the July 1, 2022 deadline. 

Rulemaking and new regulations

Based on a report of the Board’s rulemaking subcommittee, the current expectation is that CPRA rulemaking will double the current body of CCPA regulations. To handle this rulemaking workload, the Board intends to create three subcommittees tasked with the following:

Updating CCPA rules subcommittee topics

  • Opt-out requests (including signal)
  • Accessibility
  • Rights to erase, correct and know
  • Use of personal information by contractors/services

New rules subcommittee topics

  • Cybersecurity audits
  • Risk assessment
  • Automated decision making
  • Agency audit authority

Rulemaking process subcommittee topics

  • Coordinate pre-rulemaking and rulemaking activities
  • Make recommendations whether rules are needed for certain topics
  • Coordinate report on scope of privacy rules that apply to insurance corporations
  • Suggest additional topics for rulemaking and secure resources

Practical impact and takeaways

This time around, key provisions of the CPRA, including automated decision-making, opt-out signals, and impact assessments were expressly left to be fleshed out through rulemaking. This fact, and the agency’s expectation that it will double the current body of CCPA rules, means not only that the CPPA will have its hands full but that companies looking to keep abreast of the CPPA’s rulemaking efforts will have to remain vigilant and adaptable as the “CCPA 2.0” landscape takes shape.