As part of its continued preliminary rulemaking activities, the California Privacy Protection Agency (“CPPA”) will be holding stakeholder sessions Wednesday, May 4 through Friday, May 6 to provide an opportunity for stakeholders to weigh in on topics relevant to upcoming rulemaking. The Agenda for each of the sessions, which are slated to last an entire day, is available here.
The Agenda lists various topics on which the CPPA will allow stakeholders to provide input, including automated decision-making, data minimization and purpose limitations, dark patterns, consumers’ rights, cybersecurity audits and risk assessments, and audits performed by the Agency. In addition to defined topics, there are also time slots available for general public comments for individuals or entities who did not have an opportunity to register in advance to make comments. If the length of time devoted is an indication of the Agency’s focus on a particular topic, it is worth noting that the time allotted for automated decision making (three hours) and consumer rights (six hours) – with two and a half hours devoted to opt-out rights, two and a half hours devoted to rights to delete, correct, and know, and one hour devoted to the sensitive PI opt-out – is significantly greater than other topics.
As we reported previously, the CPPA reported that it will miss its July 1, 2022 deadline for final CPRA regulations. In fact, we will be lucky to have regulations by the time the CPRA becomes fully operative on January 1, 2023. In its most optimistic estimate, the CPPA is shooting for the middle of the fourth quarter of this year for final regulations.
Please contact the author or your relationship attorney at Squire Patton Boggs if you have questions about privacy rulemaking in California or Colorado, which is also actively engaged in pre-rulemaking activities, as we discussed here. We are working with clients, trade organizations, and bar associations to help them participate in the preliminary and formal rulemaking processes in these states.