The California Privacy Protection Agency (CPPA) – the agency that has been tasked with rulemaking under the new California Privacy Rights Act (CPRA) – held its most recent Board Meeting on February 17, 2022. At the meeting, Executive Director Ashkan Soltani provided the following updates on the rulemaking process and agency operations.
Formal rulemaking will start in Q2 and will be completed in Q3 or Q4, meaning regulations will not be issued by July 1, 2022 as required by the CPRA.
The CPRA’s effective date (January 1, 2023) and the enforcement date (July 1, 2023) have not yet been moved.
The Agency will host preliminary instructive and stakeholder meetings in March and April 2022. The instructive sessions will include subject matter experts to provide guidance on the key rulemaking issues that were identified during the September 2021 Invitation for Preliminary Comments. Executive Director Soltani indicated that he expects rulemaking to be completed in Q3 or Q4 of 2022. While he recognized that this means the rules will not be finalized before the July 1, 2022 deadline imposed by the CPRA, he indicated that the delay was necessary “to balance staffing of the agency while undertaking substantial information gathering to support our rules.” However, there was no discussion of an extension of the enforcement date (July 1, 2023) in light of the delay.
The Agency entered into a 12-month sublease agreement for office space in Sacramento. It requested $10 million to hire 34 total staff, including a Deputy Director of Public Affairs to do outreach for the organization, additional attorneys, IT, and administrative staff.
Two bills have been introduced in the California State Assembly that would amend the CPRA to extend the exemptions for employee and business-to-business (B2B) data. Currently, those exemptions are set to expire when the CPRA takes effect on January 1, 2023. Assembly Bill 2871 would keep the exemptions in place indefinitely, and Assembly Bill 2891 would preserve the exemptions until January 1, 2026.
The prospects for passage of either bill are unclear, and even if one of the bills passes, it could face a constitutional challenge. The CPRA has a “one-way ratchet,” meaning as a general matter, it can only be amended by the legislature if the amendment is “consistent with and further[s] the purpose and intent” of the law. Furthermore, the CPRA imposes an additional limitation with respect to amendments to the exemptions in Section 1798.145 (which includes the B2B and employee data exemptions). Specifically, those exemptions can only be amended “if the laws upon which the exemptions are based are amended to enhance privacy and are consistent with and further the purposes and intent of this act.” This suggests an amendment to extend these exemptions from most CPRA obligations would only be constitutional if it can be justified based on a theory that such amendments enhance privacy – perhaps by pairing them with other provisions giving privacy protection to employee and/or B2B data, which poses an additional challenge.
According to the California State Assembly website, May 27th is the last day for each house to pass bills introduced in that house, and August 31st is the last day for each house to pass bills during this legislative session. In light of the uncertain outcome here, companies should at least begin assessing the B2B and employee data they collect (e.g., what and how it’s collected, the purposes of processing, the potential need for retaining the data, and what sensitive data may be included) so they can move quickly with a compliance plan covering CPRA obligations with respect to such data if no further amendments are passed.