We reported earlier that at the July 16^th California Privacy Protection Agency (CPPA) Board meeting, the Board would be considering a rulemaking package that staff prepared further the Board’s vote and direction in March.  Copies of those documents are here.  At the July 16^th Board meeting the staff presented on those, and reported that it was still working on the required Standardized Regulatory Impact Assessment (SRIA) that will need to be approved by the CA Department of Finance prior to publication for public comment and the commencement of the formal rulemaking process.  The Board also debated the substance of the draft rules but did not vote on them.  The Board asked staff to make clear certain alternatives to the draft in the call for public comments, most notably if risk assessments related to processing that, results in consequential decision-making, should be for all processing or just processing using automated decision-making (ADM) technologies.  Board Member MacTaggert raised several concerns about the current drafts, including:

• Risk assessments for processing for consequential decisions should not be restricted to ADM;
• Risk assessments should at least initially be more limited than to all businesses (e.g., higher revenue or processing thresholds);
• The definition of ADM is too broad;
• The opt-out for ADM is too broad;
• Consequential decisions should be more limited and specifically enumerated;
• The trigger for assessments and opt-out for consequential decisions should be where there is a denial of enumerated essential services not “access to,” expressing concern that “access” was too broad and might capture even contextual advertising; and
• California should follow Colorado’s approach to not requiring an opt-out where there is human intervention prior to a decision furthered by technology, rather than the current draft approach to not requiring an opt-out if there is a human appeal process following the decision.

A spirited debate ensued.  The other Board members, including Chair Urban, urged that these matters be further considered during the public comment period so as not to further delay the ability to seek and consider official public comments.  Chair Urban added “we have mined the field of knowledge as much as we can” and expressed that there would be value in seeking formal comments from outside stakeholders at this point.  No date has been set for the next vote to publish drafts for public comment, but Chair Urban indicated a desire to raise the issue in the September meeting. 

Once the drafts are published for public comment, they become “proposed,” and the public will have 45 days to comment.  Staff will then consider the comments, and along with the Board, can propose revisions; which if approved by the Board, will be published for a new 15-day public comment period, followed by a new consideration period and another opportunity for revisions.  This process could continue until the Board approves a set of proposed rules on the current topics under consideration (amendments to current regulations and new regulations on cybersecurity audits, data risk assessments, privacy protections related to the insurance agency and ADM/profiling).  The CPPA will have one year to complete rulemaking on these topics from the date the first proposed regulations are published for comment.  Thereafter, it would need to start over with a new proposed rulemaking.