Calif. Privacy Agency Board Greenlights CPRA Rules
The California Privacy Protection Agency voted 4-0 to approve California Privacy Rights Act (CPRA) rules Friday. Also at the virtual meeting, the agency agreed to seek comments on a proposed rulemaking on risk assessments, cybersecurity audits and automated decision-making. The privacy agency’s executive director said in December the CPRA rules could take effect in April or later (see 2212160040). The statute took effect Jan. 1.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Agency staff will file the approved rules with the Office of Administrative Law within two weeks, General Counsel Philip Laird said. The office then will have 30 business days to review and will notify the privacy agency how it intends to proceed shortly before the end of that period, he said. The office usually raises at least some issues, noted Laird: Sometimes tweaks can be handled quickly, but more substantive issues may require an additional notice of modified text and 15-day comment period. If the office raises issues with only a few aspects of the rules package, it might let the agency withdraw those parts and approve the rest of the omnibus, he said.
Final draft rules contained no substantive changes from the modified rules approved by the board in late October (see 2210310074 and 2210280055), said Laird. The privacy agency released the regulations’ text and a draft final statement of reasons earlier last week. Staff reviewed comments after the October meeting and decided no further changes were needed, said the California agency’s Senior Privacy Counsel Lisa Kim: Many comments repeated previously made suggestions. The agency received about 150 comment letters comprising about 1,500 pages over the entire rulemaking, she said.
Staff plans to bring back certain additional issues raised by board members in past meetings for consideration at a future meeting, Laird said. Staff took notes, Kim assured board members. “It’s a long list.”
Board member Lydia de la Torre said she would support the rules package with the understanding the board will return to her issues with Section 7002 on restrictions for collecting and using personal information. She raised concerns about no clear carve-outs for journalistic research, archiving and statistical uses of data. “I don’t think we want to be more restrictive than Europe,” she said. “Research shouldn’t be an afterthought.”
The public will have 45 days to comment on the upcoming rulemaking about automated decision-making and other issues, said board Chairperson Jennifer Urban. Board member Vinhcent Le said the "questions reflect the seriousness with which we're approaching" those issues. Among other queries, the draft invitation seeks comments on how businesses have been using algorithms and the prevalence of “algorithmic discrimination.”
Board members plan to take up administrative matters for the nascent agency at their next meeting, said Urban. In Colorado, the attorney general’s office heard concerns from businesses and consumer advocates about proposed Colorado Privacy Act rules at a hearing Wednesday (see 2302010043).
About 15 states are considering comprehensive privacy bills this year, shows a Husch Blackwell tracker. Five states enacted laws. The New Jersey Senate voted 27-11 Thursday to pass SB-332, sending it to the Assembly. The Hawaii House Higher Education and Technology Committee voted 8-1 Wednesday to clear HB-1497, which still needs two more committee approvals before going to the full House. Mississippi’s HB-2080 died in committee Tuesday. An Indiana bill recently cleared a committee unanimously (see 2301260044).