California Privacy Agency Votes to Expedite Rulemaking

As we said before reportedOn March 8, 2024, the Board of the California Privacy Protection Agency (CPPA) voted to forward the proposed regulations to the official rulemaking stage.

New draft regulations were proposed by the CPPA staff and considered, but not approved, by the CPPA Board in the fourth quarter of 2023. In February 2024, further revised draft regulations were published and on March 8, the CCPA Board voted 5-0 to amend the existing regulations and, after a spirited debate, 3 (Urban, Le, and Worthe in favor) to 2 (de la Torre and Mactaggert opposed) to also introduce new draft regulations regarding data risk assessments and data-driven technologies, with instructions to the staff to add to the requirements for submitting summary assessments to the CPPA a discussion of safeguards used to mitigate the risk (except where disclosure would constitute a security risk). In each case, the staff was authorized to prepare materials necessary under the administrative procedures rules and regulations to publish a notice of prepared rulemaking, a publication that would be subject to a further vote by the Board after review of the rulemaking package. Staff was also authorized to make further changes to the draft regulations to clarify the text or bring it into line with the law. While the motions did not set a specific date for staff to complete their work, discussions assumed it would occur no later than the July 2024 board meeting.

The workers met that deadline, and the CPPA board now plans to consider the process at its Meeting July 16. Package documents are here:

Interestingly, the draft provisions on cybersecurity audits (Article 9) were included in the draft, although they were not part of what the Management Board had previously proposed.