In November 2020, California voters passed Proposition 24, the California Privacy Rights Act ("CPRA"). The CPRA amends and extends the California Consumer Privacy Act of 2018 ("CCPA"). To implement the law, the CPRA established the California Privacy Protection Agency ("Agency") and vested it with the full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018. The Agency’s responsibilities include updating existing regulations, and adopting new regulations.
Current Rulemaking Activity
Completed Rulemaking Activity
Notifications Regarding Our Rulemaking
Information regarding the rulemaking process will be posted to this page. If you would like to receive notifications regarding rulemaking activities, please subscribe to our email list here.
The California Privacy Protection Agency is currently engaged in formal rulemaking activities. In Fall 2021, the Agency solicited preliminary written comments from the public. In Spring 2022, it held Informational and Stakeholder sessions and posted all materials on its website. On May 27, 2022, the Board posted a meeting notice and agenda for its June 8, 2022 meeting, which included as one of its items “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000 to 7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020, Including Possible Notice of Proposed Action.” The draft proposed regulations have been made available to the public as part of the June 8 meeting materials. On June 8, 2022, the Board approved the draft proposed regulations for the formal rulemaking process and authorized the Executive Director to take steps necessary to begin the rulemaking process. On July 8, 2022, the Agency published its notice of proposed action in the California Regulatory Notice Register, beginning the formal rulemaking process. Below is a Q&A to provide more information about the proposed regulations and the regulations process.
When Proposition 24 created the new state agency, the California Privacy Protection Agency, it established its governance by a five-member Board. The Board holds rulemaking authority, meaning that it must decide to begin the formal rulemaking process under California’s Administrative Procedures Act (APA) for draft proposed regulations. The Board decides to begin formal rulemaking in a public meeting that complies with the Bagley-Keene Open Meeting Act. This law requires the Agency to post notice of any Board meeting on the Internet at least 10 days in advance, with notice including the specific agenda for the meeting and a brief description of the items to be discussed. In addition, any writings that are or will be distributed to the Board, that relate to an item that will be discussed at a public meeting, must also be made available to the public. Draft proposed regulations are a writing.
To commence the formal rulemaking process as set forth in the APA, the Agency filed a Notice of Proposed Rulemaking Action, referred to as a “NOPA”, the text of the proposed regulations, and an initial statement of reasons (ISOR) describing the reasons for the draft proposed regulations. The NOPA is posted on the Agency’s website and published in the California Regulatory Notice Register, which marks the first day that formal rulemaking begins.
The public will have the opportunity to comment on the draft proposed regulations multiple times during the formal rulemaking process. Filing a NOPA opens the initial public comment period, which runs for at least 45 days and provides an opportunity to submit written public comments to the Agency. The Agency will also hold a public hearing. In the NOPA, the Agency provides specific instructions on how the public may send written comments on the proposed regulations and attend a public hearing to provide oral comments. For tips on writing an effective public comment, see here.
Under the APA, if the Agency proposes any substantive change related to the original text of the proposed regulations after the initial comment period, it will open an additional public comment period for at least 15 days and consider any comments received on those proposed modifications. The Agency is required to summarize and respond to every public comment in its Final Statement of Reasons (FSOR), which will accompany the text of the final regulations in a package submitted to the Office of Administrative Law (OAL). For more information on the formal rulemaking process, see here. If you would like to receive notifications regarding rulemaking activities, please subscribe to our email list here.
On April 21, 2022, rulemaking authority under the CCPA formally transferred from the Attorney General to the Agency. Just like the Attorney General’s rulemaking process, the Agency’s rulemaking process will comply with the APA. One main difference between the Agency’s rulemaking authority is that Attorney General did not have to comply with Bagley-Keene because the Department of Justice is led by the Attorney General, as opposed to being a state body that is controlled by a Board. This is why, for example, the first time the public viewed the Attorney General’s proposed CCPA regulations was when the Department of Justice filed its NOPA and began formal rulemaking. The Board will also comply with Bagley-Keene throughout formal rulemaking. This means that each time the Board discusses the proposed regulations, it will be in a public meeting that includes 10-days' advance notice to the public, with any writings distributed to the Board made available to the public.
Proposition 24, also known as the “California Privacy Rights Act of 2020” or “CPRA”, amended or reenacted the California Consumer Privacy Act of 2018, or the “CCPA.” The law vests the Agency with “full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018.” This is because the CPRA amended the CCPA; it did not create a separate, new law. The proposed regulations seek to update existing regulations and add new rules to implement and interpret the language in the text of the CCPA, as amended by the CPRA. Further, many of the regulations reorganize and restate the existing statute and regulations, to make it easier to read as a standalone document.