On December 16, 2022, the California Privacy Protection Agency (CPPA) had its final meeting before the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act takes effect on January 1, 2023. Despite the CPRA taking effect at the start of the year, the CPPA, the agency charged with implementing the law, has not finalized its rulemaking process. It was discussed at the Friday meeting that the final proposed rules are anticipated to be released at the end of January and after going through the various administrative requirements will take effect in April. In the meantime, regulations previously promulgated by the California Attorney General’s Office will remain in effect.
Though it has not finalized its CPRA rulemaking, the CPPA is setting its sights on other rulemaking duties, including the use of artificial intelligence in data collection and businesses’ cybersecurity assessments. The CPPA released sample questions covering these areas which will be finalized and approved in the new year and then released for a comment period in order to collect insights on the framework needed for risk assessments and automated decision-making.
Some of the considerations pertaining to risk assessments that are detailed in the sample questions include laws and other requirements that businesses already have to comply with regarding processing consumers’ personal information that require risk assessments and how those assessments can be aligned with the requirements under the CPRA. Further, the CPPA is considering whether assessments from other privacy statutes and regulations such as the European General Data Protection Regulation and Colorado’s Privacy Act can be used for CPRA purposes.
Similarly, in considering rulemaking regarding automated decision-making, the CPPA is considering questions of other laws requiring access and/or opt-out rights in the context of automated decision-making. The sample questions also seek information about how prevalent algorithmic discrimination based on classification/classes under California and federal law is and if it is more pronounced in some sectors.
Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.