The California Privacy Protection Agency Board held a meeting over the weekend to review and consider the modified proposed California Consumer Privacy Act (CCPA) regulations, which were previously published on September 17, 2022. At the meeting, the Agency was authorized to take all steps necessary to prepare and notice the proposed regulations.
What’s Next?
- Once noticed, there will be a fifteen day comment period. There was no mention of the longer 45-day comment period in the meeting.
- After the comment period, the Agency will prepare a final rulemaking package for consideration by the Board and then this package will be submitted to the Office of Administrative Law (OAL) for review.
- The OAL will have 30 business days to review and the Board hopes that the process will conclude by the end of the year, in which case the regulations would become effective late January or early February.
- Throughout the meeting, the Board stressed the urgency of finalizing the regulations, making it their main goal to not delay implementation of the regulations. However, it was mentioned that it is likely that the regulations will be revisited at a later time.
Potential New Regulation on Timing
During the meeting, it was asked of the Board to consider a new regulation regarding the timing of the final regulations when engaging in any enforcement actions. Specifically, it was directed for the Agency to consider a “new regulation that states that the Agency has discretion to consider the amount of time between the effective date of the statutory or regulatory requirement and possible violations of those requirements, as well as good faith efforts to comply.” The Board sympathized that the full package of CPRA regulations were supposed to be finalized by July 1, 2022. However, as it stands, only a partial rulemaking package will be finalized approximately six or seven months after the July 1 deadline. This will give businesses significantly less time to drive compliance.
More Changes to the Proposed Regulations
In addition to the new regulation on enforcement, the next set of proposed draft regulations that are submitted for the fifteen-day comment period will have a number of changes from the current modified proposed regulations. It was discussed during the meeting that additional changes were identified since publishing the proposed modified regulations in September. Primarily, these changes were grammatical or resolved ambiguities. Further, the Board instructed the Agency to consider changes involving the right to limit the use of sensitive personal information, opt out preference signals, and the provisions in § 7002 dealing with purpose limitations, secondary uses, and data minimization.
- The Board thoroughly discussed the section that lists the permissible purposes for which businesses can process sensitive personal information without having to provide consumers with the right to limit. Concerns were raised that the listed purposes do not allow businesses to process employee sensitive personal information for DEI purposes without having to provide the right to limit. Specifically, the Board asked the Agency to consider (1) including a reference to Civil Code § 1798.121(a); (2) including language stating that the use and disclosure of the sensitive personal information shall be reasonably necessary and proportionate to achieve the purposes listed within the regulation; and (3) move the term “collect” in the preamble of this section. The Board further agreed that this provision was one that would require further consideration at a later date after the regulations are finalized.
- The Board discussed the opt-out preference signal and concerns with how businesses would operationalize this regulation and whether it would lead to unintended consequences. Specifically, the Board discussed how businesses should treat the opt out preference signal vis-à-vis financial incentive programs and the treatment of pseudonymous profiles. The Board directed the Agency to consider adding clarifying language that (1) opt-out preference signals should apply to pseudonymous profiles, e.g., consumer profiles associate with the browser or device; (2) if a business asks and the consumer does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal; and (3) a business shall still apply an opt-out preference signal to the browser or device, or the known consumer, if the business does not ask the consumer to affirm their intent to withdraw from a financial incentive program.
- Lastly, the Board brought up concerns relating to regulation section that addresses purpose limitations, secondary uses, and data minimization. As a result, the Board instructed the Agency to consider (1) adding clarifying language about a consumer’s expectation regarding the examples set forth in the section; (2) remove the word “factors”; (3) add clarifying language within the section about the straightforwardness and ease of understanding of the disclosure; and (4) add clarifying language regarding the “consumer.”
Although the Board agreed that there will be changes in the next set of the published regulations, the Board also agreed that finalizing the current proposed regulations is priority and that their proposed changes could wait to be implemented in a future version of the regulations after these regulations are finalized.
To read more, please visit this link.