CPPA Regulatory Delays and Enforcement Updates: Takeaways from July Board Meeting

On July 16, the California Privacy Protection Agency (CPPA) held a public meeting of its Board (the Board). Four days before the meeting, the CPPA released revised draft rulemaking totaling several hundred pages—including a revised combined draft rulemaking package on risk assessment regulations, cybersecurity audit regulations, and automated decision-making technology (ADMT) regulations.

The meeting itself focused much more on ADMT and artificial intelligence concepts than previous meetings, but it nonetheless resulted in several important updates related to privacy. Below, we summarize several key takeaways from the July Board meeting that provide insight into future compliance considerations.

CPPA Defers Action on Revised Draft Regulations

Building up to the July meeting, there was some preliminary indication that the Board would be expected to vote in the meeting on whether or not to enter the revised draft rulemaking package into final rulemaking procedures. Although the Board engaged in robust back-and-forth discussions on the revised draft regulations, it ultimately concluded that a more fulsome economic analysis must first be completed and deferred voting on entering into final rulemaking procedures until a future meeting (likely the Board's next meeting in September). The Board and CPPA staff tacitly agreed that, for the next meeting, the draft regulations package will likely look similar to its current form but with several proposed alternatives based on the results of the economic analysis conducted.

The Board was particularly divided on issues relating to the proposed ADMT regulations. Specifically, the Board was very divided on whether the current requirements for conducting a risk assessment are overbroad—especially since under the current proposed draft, risk assessments are required in all instances when an entity is using ADMT for a "significant decision concerning a consumer." Similarly, the Board debated whether the definition of ADMT is overbroad, expressing concern that current definitions would encapsulate simple technologies that may not involve otherwise high-risk processing of personal information.

Ultimately, the Board gave the CPPA staff a series of topics to research with the expectation that the staff will return with proposed alternatives—as well as a more thorough economic analysis—at the September meeting.

New Enforcement Priorities and More Advisories on the Horizon

Separate from the discussion surrounding the proposed draft regulatory package, the CPPA Deputy Director of Enforcement Michael Macko presented a summary of the past year's enforcement efforts (compiled in a slide deck released as part of the meeting materials). Macko highlighted the CPPA Enforcement Division's infrastructural improvements with increases in staff and case management capacity, which allowed the Enforcement Division to handle over 2,000 complaints in the past year. The most common categories of complaint pertained to (i) consumer deletion rights, (ii) alleged improper collection, use, or storage of personal information, and (iii) consumer rights to opt out of the "sale" and "sharing" of their personal information. Notably, the Enforcement Division grew from only 10% of its attorney capacity at the beginning of the year to over 82% of its attorney capacity by the end of the fiscal year, indicating that the Enforcement Division is well poised in the coming year to take on additional enforcement actions.

Macko also unveiled a new set of priorities that he stated will inform enforcement efforts for the coming year, specifically focusing on:

1. Businesses that fail to honor opt-out requests unless a consumer submits verification.
2. Businesses that sell or share personal information without notices / opt-out mechanisms.
3. Businesses that use dark patterns to prevent consumers from exercising their rights.
4. Businesses that violate the law in ways that affect vulnerable populations or groups.

Finally, Macko touched on the CPPA Enforcement Division's issuance of enforcement advisories (as seen recently in the CPPA's first enforcement advisory, issued in April, focusing on data minimization), stressing that advisories are intended to deter violations of the law and hinting that another enforcement advisory may be issued soon.

CPPA Prioritizes Seeking GDPR Adequacy Decision

The July Board meeting also covered the CPPA's cooperation with other state, federal, and international agencies, with a particular focus on seeking an adequacy decision under the General Data Protection Regulation (GDPR). For next steps, the CPPA agreed that they will invite various European regulators to future meetings to clarify what steps would be necessary to obtain an adequacy decision, and the Board expressed a desire to work closely with the California state government to promote legislative action needed to support such a decision.

                                  *                       *                       *                       *

If the July Board meeting is to serve as any indication, future Board meetings will continue to address privacy, enforcement, and other issues, with a particular focus on artificial intelligence and ADMT concerns. Meanwhile, the draft rulemaking package is not expected to significantly change before the September CPPA Board meeting, and the draft regulations include many provisions that companies may want to comment on. Perkins Coie has been involved in rulemaking since the California Consumer Privacy Act was passed and will continue to assist clients seeking practical changes to the draft regulations.