Next Big Calif. Privacy Agency Rulemaking Slated for July

The California Privacy Protection Agency could open formal rulemaking in July on draft regulations related to cybersecurity, risk assessments, automated decision-making and updating privacy rules, CPPA General Counsel Phillip Laird said Friday. The rulemaking would likely conclude in 2025, he said at a partially virtual meeting. Before the rulemaking starts, CPPA plans a “roadshow” across California to engage with and encourage broad public participation, he said. The board discussed revised, pre-rulemaking proposals on the latter three issues, which privacy experts say could affect many industries, including communications and the internet (see 2312060021). It gave staff a green light to move ahead on the cybersecurity rules last December (see 2312080064), but this summer’s rulemaking would take up all four items as a package. Recent CPPA revisions tightened automated decision-making draft rules, McDermott Will privacy lawyers David Saunders and Cathy Lee blogged March 1. For example, the definition of automated decision-making “in the last iteration was so broad so as to include calculators or even spreadsheet formulas,” they said. Board member Alastair Mactaggart raised that concern at a December meeting. The current draft “expressly excludes ordinary technologies … so long as they are not used in a manner that replaces human decision-making. Ambiguity remains, however, as to what happens if one of the excluded technologies is used to facilitate human decision-making.”