On Friday, July 14, 2023, on the heels of the California Attorney General’s (AG) announcement seeking information from California employers on their compliance with the California Consumer Privacy Act (CCPA), the California Privacy Protection Agency (CPPA) Board of Directors (the Board) held a public meeting to discuss a number of highly anticipated topics.

Enforcement Update from Michael Macko, Deputy Director of Enforcement

Michael Macko cleared up some of the confusion surrounding enforcement after the June 30, 2023, California Superior Court decision muddied the waters on enforcement dates. Macko strongly stated that there will be “vigorous enforcement” and that “businesses do not have a free pass from all enforcement,” because nothing stops the CPPA Enforcement Division (the Division) from enforcing the new statutory changes to the CCPA, which came into effect on January 1, 2023. Additionally, Macko stated that the Division can and will enforce original CCPA regulations (those issued before March 2023).

In the coming weeks and months, the CPPA will prioritize the following areas (not in any particular order) where the public will benefit the most, in their opinion:

  • Privacy notices and policies. The Division will review notices and policies to ensure compliance with the law’s requirements. Macko noted that businesses have had plenty of time to comply with this requirement and that notice to consumers is a “gateway issue” and is not “onerous.”
  • Right to delete. Macko noted that this is also well established and that the Division will review whether and how businesses are complying with this “long-standing right we have in our law.”
  • Implementation of consumer requests. The Division will focus on business practices, specifically how businesses “implement consumer requests they receive”such as opt-outs, and what businesses are doing in response. Macko also noted that businesses need to do more in this regard than simply pay “lip service.”

Macko did note that, “nonetheless,” the Division will be sensitive to the potential impact of the court’s June 30, 2023, decision on businesses that designed their practices based on the new regulations. At the same time, Macko clearly stated that where the Division finds enforceable violations, it will take “aggressive action,” since businesses have been on notice. While the Division is working on expanding its staff, including by adding three enforcement attorneys, Macko noted that the Division is not waiting to begin enforcement and will use existing resources during the expansion.

Consumer Complaint System

The CPPA soft-launched a new complaint form through its website and provided a preview during the CPPA meeting: https://cppa.ca.gov/webapplications/complaint.

In contrast to this portal designed specifically for the intake of privacy complaints to the CPPA, the active complaint form on the website of the California AG’s office is framed as a mechanism by which California consumers can submit complaints on areas outside the scope of privacy rights. Presumably, given the California AG’s and CPPA’s dual enforcement authority, a consumer may still submit privacy complaints through the California AG website. Consumers are also provided the option to mail in their complaint.

The CPPA indicated that since the launch of the portal, it has received 13 complaints, with complaints regarding the right to limit the use of sensitive personal information being the most common.

Automated Decision-making

The CPPA previewed the three areas of regulation that have yet to be published: cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). With respect to automated decision-making, the CPPA discussed potential regulations governing the access and opt-out rights of consumers when a business uses ADMT. In addition, the CPPA discussed a potential definition of “ADMT,” as follows:

ADMT means any system, software, or process—including one derived from machine-learning, statistics, or other data processing or artificial intelligence techniques—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making. ADMT includes profiling.

The Board expects to provide a draft of the proposed regulations by the next Board meeting, which is scheduled for September 2023.

Cybersecurity Audits and Risk Assessment

This discussion included an overview of key issues regarding cybersecurity audits; audit and assessment thresholds; risk assessment requirements; and much more.

The CPPA also took into consideration the need to balance the value of these regulations with the cost to businesses. For example, it was suggested that any cybersecurity audit requirement will also take into account cybersecurity audits, assessments, or evaluations previously completed by a business for a different purpose. The CPPA also noted that any requirements would consider compliance with other jurisdictions’ requirements, so it comes as no surprise that many of the proposed considerations seemed similar to Colorado’s requirements.

In the meeting materials posted on its website, the CPPA did provide detailed proposed language, despite such language being purely speculative at this point: https://cppa.ca.gov/meetings/materials/20230714.html

The Board also expects to provide a draft of the proposed regulations by September 2023. Additionally, the Board noted that it is a key priority to finalize these regulations, including those regarding automated decision-making, as soon as possible.

Legislative Updates, Including the Board’s Support of SB 362, Amending California’s Data Broker Registry Law

SB 362 would amend California’s Data Broker Registry Law to (1) transfer administrative and rulemaking authority over the data broker registry from the Department of Justice to the CPPA and (2) direct the CPPA to establish an accessible, one-step deletion mechanism to allow a consumer to ask that all data brokers delete their personal information. The CPPA would enforce the measure, and the Board agreed that this would be consistent with the CPPA’s mission to not only protect California consumers’ privacy but also make it easier for consumers to exercise their privacy rights.

The Board also supported:

  • AB 947, California Consumer Privacy Act of 2018: Sensitive Personal Information. AB 947 would define “sensitive personal information” for purposes of the CCPA to include personal information that reveals a consumer’s citizenship or immigration status.
  • AB 1194, California Privacy Rights Act of 2020: Exemptions: Abortion Services. AB 1194 would amend the CCPA to provide that certain exemptions do not apply if the consumer’s personal information contains information related to accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including abortion services.
  • AB 1546, California Consumer Privacy Act of 2018: Statute of Limitations. AB 1546 would require that any civil action by the AG to enforce the CCPA begin within five years of the violation.
  • SB 544, Bagley-Keene Open Meeting Act: Teleconferencing. SB 544 would amend the Bagley-Keene Open Meeting Act to allow state bodies to conduct public meetings exclusively via teleconference. The Board noted they supported SB 544 only if it is amended to remove the proposed requirement that a majority of the quorum be physically present.