by Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro
2023 has arrived, and with it comes a novel patchwork of privacy requirements arising out of comprehensive state privacy laws that have been adopted (or amended) by legislatures in California, Virginia, Colorado, Connecticut and Utah. Although privacy practitioners have been busy analyzing these laws and assisting clients with compliance efforts, rulemaking in California and Colorado has made this a moving target. We’ve previously blogged about how companies can prepare for these laws, and how enforcement and guidance under the GDPR might shed light on how some of these laws will be applied. In this series of posts, we will track key rulemaking developments as well as trends in compliance efforts, with practical takeaways for covered companies to consider as these laws, and the regulatory expectations around them, mature.
In this initial post, we review the status of the California Privacy Protection Agency’s (“CPPA”) rulemaking for the California Privacy Rights Act (“CPRA”) following a public meeting on December 16. At the meeting, the CPPA revealed an updated timeline for its rulemaking process and when it expects the rules to take effect. A CPPA Subcommittee presented three new topics for the CPPA to consider for further rulemaking activity: (1) risk assessments; (2) cybersecurity audits; and (3) automated decision-making, along with sample questions for preliminary rulemaking feedback from the public. Notably absent from the discussion on proposed rulemaking, however, was any news related to how future regulations might address personal information collected from California residents in context of recruitment and employment (“HR”).
Updated Timeline
The CPPA anticipates that final regulations will be released in late January or early February 2023. After finalizing the regulations, the CPPA will submit its final rulemaking package to the California Office of Administrative Law (“OAL”) for approval. The final rulemaking package will include a Final Statement of Reasons and the CPPA’s responses to all public comments during rulemaking. The OAL then has 30 working days to review the action and either approve or disapprove. Weekends and state holidays are excluded from counting this 30-working day time period. If OAL does not approve the proposed final rulemaking package, the CPPA will have an additional 120 days to cure any deficiencies. Given this timeline, the CPPA estimated that the regulations could be effective around April 2023. In the meantime, the Agency advised that existing regulations will remain in effect until the proposed regulations become effective.
New Rulemaking Topics and Questions for Comment
As announced in November 2021, the CPPA’s Rules Subcommittee (“Subcommittee”) is responsible for drafting new rules or items not addressed in the CCPA. At its recent meeting, the Subcommittee presented its current assignment to draft new rules on (1) risk assessments covering businesses whose processing of personal information presents a significant risk to consumers’ privacy or security, (2) cybersecurity audits on an annual basis, again for businesses whose processing of personal information presents a significant risk to consumers’ privacy or security, and (3) access and opt-out rights with respect to businesses’ use of automated decision-making as delegated and described in the text of the CCPA and in the CPPA’s presentation on its goals for the next round of rulemaking.
The Subcommittee also issued a list of Sample Questions for Preliminary Rulemaking on these topics. The questionnaire and presentation suggest the CPPA is focused on:
- Alignment with Other Laws and Best Practices: The sample questions asked what laws, requirements or best practices apply to businesses or should be considered by the CCPA, and in particular what gaps or weaknesses might exist in these existing laws or frameworks that the CCPA should consider. Similarly, the CPPA asked about forms of processing that present a “significant risk” to consumers, whether and to what extent it should draw upon the EDPB’s Guidelines for such assessments and what processing, if any, does not present such risks. This suggests the CPPA may seek to enhance existing obligations under other laws with its own specific requirements and potentially take a broad view as to when cybersecurity audits and risk assessments are required.
- Susceptibility to Harm and Discrimination: The sample questions sought feedback on the communities or individuals that may be more susceptible to harm from data processing practices when it comes to risk assessments. With respect to automated decision-making, the CPPA inquired about the prevalence of algorithmic discrimination and how access and opt-out rights could address such discrimination.
- Models for Risk Assessments and Cybersecurity Audits: The sample questions emphasized drawing from established models of risk assessments or already required or conducted cybersecurity audits in considering whether businesses could leverage existing frameworks to comply with CCPA requirements. The Subcommittee also sought feedback on how businesses could demonstrate to the CPPA that these assessments or cybersecurity audits comply with the CCPA’s requirements.
- Revenue Thresholds and Industry Differences: The sample questions suggest the CPPA is open to applying differing standards to differing businesses. The sample questions asked whether access and opt-out rights regarding automated decision-making technology should differ for consumers across industries and technologies, and whether risk assessment or cybersecurity audit requirements should be different for businesses with less than $25 million in annual gross revenue.
Along with presenting these proposed topics and sample questions for preliminary rulemaking, the Subcommittee proposed to finalize its topics and questions and conduct an additional preliminary rulemaking in early 2023. The Subcommittee is expected to invite written public comment and other preliminary activity, after which the CPPA is expected to discuss proposed regulatory frameworks for the topics discussed above.
HR and B2B Data
Notably absent from the proposed topics for CPPA rulemaking was HR data or business-to-business arrangements (“B2B”) data. As we’ve previously written, the California legislature elected not to extend the exemptions under the CCPA for California residents’ HR data or B2B arrangements. These exemptions expired January 1, 2023—the day the CPRA took effect.
So far, the initial CPRA rulemaking process has not addressed these exemptions, and neither did the recently proposed topics for rulemaking. While companies should watch closely to see if the CPPA will take on a rulemaking process for these exemptions, they should also continue preparing to be compliant with CPRA requirements when processing these types of personal information.
Key Takeaways for Companies to Consider
- Companies should continue to conform their privacy practices to the regulations currently proposed by the CPPA and stay tuned for potential updates before the regulations are finalized.
- To the extent that companies already have mechanisms in place to comply with GDPR’s or the California Privacy Act’s requirements for risk assessments, they should consider “translating” them to California, as they will likely be a reasonable basis from which to adjust with any CPRA-specific requirements.
- The HR and B2B CCPA exemptions expired on January 1, 2023, with no indication of regulatory guidance on the horizon. Companies should make best efforts to comply with CPRA requirements as outlined in the statute and draft regulation when processing HR and B2B data, paying particular attention to privacy notices and the provision of rights to covered individuals.
- Companies seeking to anticipate further rulemaking on these topics should review the additional questions described above and watch for further preliminary rulemaking activity in early 2023.
Avi Gesser is a Partner, Johanna Skrzypczyk is Counsel, and Michael R. Roberts and Alessandra G. Masciandaro are Associates at Debevoise & Plimpton LLP. The authors would like to thank Debevoise law clerk Ned Terrace for his contributions to this post. This post first appeared in the firm’s Data Blog.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).