Communications Litigation Today was a Warren News publication.

Next Big Calif. Privacy Agency Rulemaking Slated for July

The California Privacy Protection Agency could open formal rulemaking in July on draft regulations related to cybersecurity, risk assessments, automated decision-making and updating privacy rules, CPPA General Counsel Phillip Laird said Friday. The rulemaking would likely conclude in 2025, he said at a partially virtual meeting. Before the rulemaking starts, CPPA plans a “roadshow” across California to engage with and encourage broad public participation, he said. The board discussed revised, pre-rulemaking proposals on the latter three issues, which privacy experts say could affect many industries, including communications and the internet (see 2312060021). It gave staff a green light to move ahead on the cybersecurity rules last December (see 2312080064), but this summer’s rulemaking would take up all four items as a package. Recent CPPA revisions tightened automated decision-making draft rules, McDermott Will privacy lawyers David Saunders and Cathy Lee blogged March 1. For example, the definition of automated decision-making “in the last iteration was so broad so as to include calculators or even spreadsheet formulas,” they said. Board member Alastair Mactaggart raised that concern at a December meeting. The current draft “expressly excludes ordinary technologies … so long as they are not used in a manner that replaces human decision-making. Ambiguity remains, however, as to what happens if one of the excluded technologies is used to facilitate human decision-making.”