CPPA Begins Formal Rulemaking Process

On July 8, 2022, the California Privacy Protection Agency (CPPA) issued updated draft regulations implementing the California Privacy Rights Act (CPRA) as well as a notice of proposed rulemaking, which announced public hearings on August 24 and 25, 2022.

The CPPA also released an economic impact statement, which appears to underestimate the compliance costs to companies, indicating that compliance costs will be less than $10 million in the aggregate for all companies that need to comply with CPRA. California Consumer Privacy Act (CCPA) compliance costs are estimated to be in excess of $55 billion.

The updates to the draft regulations appear to be limited to non-substantive edits to the draft regulations published on May 27, 2022. The public can submit written comments to the draft regulations until August 23, 2022. We expect a significant volume of comments will be submitted.

As we detailed in our June 1, 2022, summary of the initial draft regulations, as written the regulations represent a seismic shift to the plain language of the CPRA. The draft regulations will make some optional aspects of the CPRA mandatory and introduce some entirely new requirements. The initial draft regulations drew widespread criticism, including from the Association of National Advertisers. As a result, if the CPPA does not further amend the draft regulations, litigation challenging the CPPA's authority might follow the conclusion of the rulemaking process, further muddying the waters for companies trying to understand their obligations before the January 1, 2023, deadline for compliance.

McDermott's Global Privacy & Cybersecurity team can assist clients with submitting comments to these new proposed rules. In addition, we are helping client across a broad range of industries currently working toward compliance with the CCPA/CPRA, including gap assessments, updates to CCPA program components, and implementation strategies based on unique business risks.  If you are interested in submitting comments in response to the proposed regulations, or need assistance with your CPRA compliance please contact Amy Pimentel or David Saunders.

McDermott's Chambers-rated Global Privacy & Cybersecurity team leads clients through the complex—and often unanticipated—regulatory, compliance and transactional challenges that govern their valuable data assets. Combining deep experience operating within highly regulated environments with a practical business-focused approach to navigating the rapidly evolving data privacy environment, our team of 20+ lawyers help clients develop creative solutions to regulatory obstacles and leverage their valuable data assets to drive change and innovation.