The California Privacy Protection Agency (CPPA) voted unanimously Friday to approve the newest version of the draft California Consumer Privacy Act (CCPA) regulations. These regulations are substantively the same as those considered by the CPPA Board during its October 2022 meeting. This vote marks the conclusion of a chapter that began in May 2022, when the CPPA first published draft proposed regulations.
The CPPA Board provided its staff time—likely no more than two weeks—to finalize the rulemaking package. Once complete, the package will be submitted to California’s Office of Administrative Law (OAL) for approval. The CPPA staff was given the freedom to submit the package in whole or in part to ensure that the submission has the best possible chance of approval.
The OAL has no more than thirty business days to approve or reject this rulemaking package. If rejected on minor or technical grounds, the CPPA may have the opportunity to correct such during this thirty business day window. For more substantial issues, the CPPA will need to amend the draft regulations and offer a fifteen day public comment period.
In all, this process will likely take approximately fifty to sixty days, at which time the OAL will announce its decision.
Additionally, the CPPA voted at its board meeting Friday to issue an invitation for preliminary comments on new rules regarding risk assessments, cybersecurity audits, and automated decision-making in the near future. The CPPA is in the early stages of drafting rules on these topics and is looking for public comment on a broad range of issues related thereto.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments surrounding CCPA rulemaking and provide updates as more information becomes available. Please contact us if you have any questions.