Calif. Agency Launches Privacy Law Rulemaking, Releases Draft Rules

The CPPA board voted 4-0 to authorize Executive Director Ashkan Soltani to start the rulemaking and public comments period, make nonsubstantive changes to draft rules and set a hearing. Board member Lydia de la Torre, a Santa Clara University law professor, was absent. CPRA will replace the California Consumer Protection Act (CCPA) Jan. 1. Meanwhile, Congress is considering a federal bill (see 2206030058). CPPA had pre-rulemaking informational and stakeholder hearings and received many written comments this year (see 2205260061).

"This is very impressive work, in a very difficult timeline, that takes into account a lot of really helpful feedback from the public,” said CPPA Board Chair Jennifer Urban, a University of California, Berkeley law professor. Wednesday’s action merely starts the process, with the agency to have a hearing and take written comments before submitting final rules to the California Office of Administrative Law, she said. The draft rules and accompanying initial statement of reasons (ISOR) provide clarity to businesses and consumers, said board member Angela Sierra, who was previously chief assistant attorney general of the California Public Rights Division.

The CPPA has reached an “incredible milestone,” said board member Chris Thompson, LA28 senior vice president-government relations. "We all share [the] desire to ensure that we issue regulations and enforce those regulations in a way that protects consumers’ privacy” and allows “consumers to understand and make informed decisions about protecting their own privacy,” while “balancing that with clarity and regulatory certainty for those who are regulated.” Board member Vinhcent Le, the Greenlining Institute’s technology equity attorney, said the draft rules are “very detailed.” He praised proposed rules on dark patterns to ensure consumers know when they’re giving consent.

"The proposed regulations provide comprehensive guidance to consumers, businesses, service providers, and third parties, on how to implement and operationalize new consumer privacy rights and other changes to the law introduced by the CPRA amendments to the CCPA,” said the draft ISOR. "They set forth clear requirements for how businesses are to craft their methods for submitting consumer requests and obtaining consumer consent so that the consumer’s choice is freely made and not manipulated, subverted, or impaired through the use of dark patterns.” The draft sets requirements for global opt-out signals and explains that CPRA changes “restrict businesses from collecting, using, retaining, and sharing consumer personal information in a manner that is inconsistent with consumer expectations, unless they obtain the consumer’s explicit consent.”

Draft rules consider other jurisdictions' privacy laws so that complying “would not contravene a business’s compliance with" Europe's General Data Protection Regulation (GDPR) or Colorado, Virginia, Connecticut and Utah privacy laws, said the ISOR. "It simplifies compliance for businesses operating across jurisdictions and avoids unnecessary confusion for consumers who may not understand which laws apply to them.”

The public may comment “multiple times during the formal rulemaking process,” says the CPPA website. A notice of proposed rulemaking action will open an initial 45-day comment period, plus the CPPA plans a public hearing, it said. If the agency proposes any substantive modification to proposed rules after that, it will take more comments for at least 15 days, it said.

“The CPPA appears to be veering far afield from the direction that other recently enacted state privacy laws have taken, potentially imposing a number of prescriptive requirements and impractical obligations that will not align well with many businesses' operations,” blogged Nancy Libin and other Davis Wright attorneys Friday.

The draft rules "take a prescriptive approach to privacy obligations," Alysa Hutnik and other Kelley Drye lawyers wrote May 30. That's unsurprising but is concerning because it departs from other state privacy laws, they said. “The quiet release of dramatic new obligations while bipartisan" U.S. senators are working on a federal bill that “could preempt state law obligations puts companies doing business in California in a difficult position.”

California’s proposed rules are "strikingly pro-consumer, capturing an array of concerns and proposals that privacy advocates have been articulating for several years,” Ballard Spahr attorneys Philip Yannella and Gregory Szewczyk blogged June 1. "In one of the few pro-business amendments, the proposed regulations do introduce a 'disproportionate effort' defense for companies facing overly burdensome consumer request.” But the bar is high on businesses seeking to use that defense, they said. Draft rules "are dense and highly technical, nearly doubling in length the current CCPA regulations,” and they could grow, said the lawyers: If adopted as proposed, CPRA rules "will require a substantial expansion of privacy compliance operations for many businesses subject to the law.”

Expect more draft rules to be issued later since the first set didn’t address all 22 regulatory topics required by the CPRA, Husch Blackwell attorney David Stauss wrote May 29: Notably missing are “cybersecurity audits, risk assessments, and opting-out of automated decision-making technology.” Stauss predicted global opt-out signals will be a big topic of debate during the rulemaking because draft rules make them mandatory even though CPRA said it would be optional. “Businesses should be mindful that the CCPA regulations were significantly revised before being finalized,” he noted.

It’s not possible for the CPPA to adopt final rules by the law’s July 1 deadline, Fisher Phillips attorney Darcey Groden blogged June 1. “More realistically, the earliest date for having final regulations is August.” However, businesses should prepare now because the CPPA “has made clear it wants the regulations to give the law real teeth,” they said.

Others say final rules will take longer. "The state's protracted rulemaking process means final regulations are unlikely until January 2023, if not later," Holland Knight lawyers Ashley Shively and Rachel Marmor wrote June 1.