The California Privacy Protection Agency (“CPPA”) held a board meeting on May 26th, 2022. At the meeting, Executive Director Ashkan Soltani, Acting General Counsel Brian Soublet, and members of the Board offered insight into the following key topics:

  • Bifurcation of CPRA Rulemaking Process: The Board’s CPRA Rules Subcommittee indicated that the CPPA’s rulemaking process will be split across multiple packages of rules. The first rulemaking package will prioritize procedural rules that must be put in place prior to the commencement of enforcement activities on July 1st, 2022. It will include draft rules related to administrative enforcement, the CPPA’s audit authority, and probable cause hearings. It will not include rules covering cybersecurity audits, privacy risk assessments, or automated decision making and profiling. Subsequent rulemaking packages will address those three topics and potentially others as well. The Board members did not give any indication as to how this divided rulemaking process might impact the timeline for completion of rulemaking.
  • CPPA Rulemaking Process: The Board’s Rulemaking Process Subcommittee presented a loose overview of the CPPA’s public meeting schedule for the upcoming rulemaking (slides here).
    • The Board will discuss the rules in greater depth at a second meeting, which the Board decided should be scheduled to allow public comment. One of the Board’s objectives at this meeting will be to identify areas of uncertainty where public comment would be particularly helpful.
    • Additional meetings will be held as needed to facilitate Board discussion of changes and updates to the proposed rules. These meetings may include presentations by experts and CPPA staff.
    • Once this revision process has concluded, the Board will hold a final meeting to discuss the Final Statement of Reasons and vote to approve the filing of the package of rules with the California Office of Administrative Law.
  • Updates to CCPA Rules: The Board’s Update of CCPA Rules Subcommittee discussed efforts to update CCPA rules to bring them in line with the CPRA. These revisions will amend existing rules to integrate new consumer rights, dark pattern requirements, and definitional changes introduced by the CPRA. They may also reorganize parts of the existing regulations to make them more readable to businesses and members of the public.
  • CPPA Operations and Internal Management The agency is staffing up, including by hiring Maureen Mahoney, formerly of Consumer Reports, as Deputy Director of Policy and Legislation.

At the close of the meeting, Board members indicated an intent to revisit the role of subject-matter subcommittees and consider the substance of proposed rules in subsequent meetings. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”