On September 7 and 8, 2021, the California Privacy Protection Agency (“CPPA”) Board held a public virtual meeting regarding the rulemaking process under the California Privacy Rights Act (“CPRA”). The Board indicated that it expects to initiate preliminary rulemaking activities this fall, including soliciting public comments and holding informational hearings, and to publish a Notice of Proposed Rulemaking this winter, with public hearings to take place winter 2021 / spring 2022. CPRA requires the CPPA to adopt final regulations by July 1, 2022.
The Board presented an overview of the rulemaking process as follows.
- The CPPA will first conduct preliminary rulemaking activities, including collecting written comments from the public and holding informational hearings.
- The Agency will start the official rulemaking process by publishing an initial notice package that will include a notice of proposed rulemaking, an initial statement of reasons explaining the purpose and necessity of each regulation, and the text of regulations.
- After the publication of the initial notice package, there will be a 45-day public comment period followed by a public hearing.
- If there are any major changes made to the regulations following the 45-day public comment period, another 45-day public comment period will be initiated followed by a second public hearing. If additional changes are made and the changes are substantial and sufficiently related to the prior edits of the regulations, a 15-day public comment period will be initiated.
- If there are no substantial changes made to the regulations, the Agency will then adopt the final text of regulations and submit it to the Office of Administrative Law for approval, with a target deadline of May 22, 2022.
To facilitate the rulemaking process, the Board’s Regulations Subcommittee proposed the creation of three rulemaking subcommittees: the CCPA Rules Update Subcommittee, the New CPRA Rules Subcommittee, and the Rulemaking Process Subcommittee. The CCPA Rules Update Subcommittee will update exiting rules to include CPRA requirements, such as additional requirements for opt-out requests and new data subject rights under the CPRA. The New CPRA Rule Subcommittee will draft new rules on items not addressed in CCPA rules, such as cybersecurity audits, risk assessments, automated decision making, and agency audit authority. The Rulemaking Process Subcommittee will coordinate rulemaking activities and suggest additional topics for rulemaking.
For guidance related to CCPA/CPRA, please contact our Privacy, Cyber & Data Strategy Team.