1. Draft rulemaking is almost complete and may come as early as June. Executive Director Soltani shared that they still are trying to contract with economists to put together their fiscal impact of their regulations which is required under the initial statement of reasons (ISOR). The Final rulemaking will not be finalized by the July 1 deadline as outlined in Proposition 24.
2. The initial draft rules will not include the following topics: Automated Decision making, Cybersecurity Audits, and Risk Assessments. The Agency will work on these, but they need additional time, and these could still be addressed by the time the rulemaking is finalized.
3. The Board deliberated on the timeline of what a rulemaking could look like under Office of Administrative Law (OAL) guidelines and will be deferential to the Agency staff to coordinate the timing with the Board’s perspective in mind.

• Executive Director’s Update Ashkan Soltani, Executive Director, California Privacy Protection Agency

• Hiring Update -
• Hired Maureen Mahoney Deputy of Policy and Legislation
• Hired key HR staff
• Bringing on staff in legal division in coming week(s)
• Law clerks and technologist postings on website and twitter in coming weeks
• We are also reposting for Public Affairs Deputy position (comms expertise and public education and outreach expertise)
• Budget Update -
• The Agency’s proposed budget is $10 million
• Agency provided our BCP testimony before the legislature to outline our proposed expenditures for 2022-23, including our 34 positions for statutory obligations.
• The BCP does not reflect the full complement of staff we anticipate to need, for example the staffing of our enforcement division.
• Rulemaking Update -
• We have made significant progress in our rulemaking process.
• We held instructive sessions in late March
• Materials for those sessions and recordings are available on our meetings and event page on our website.
• We also heard our pre-stakeholder meetings
• Materials for those sessions and recordings are available on our website.
• Last update: formal notice that our agency is prepared to take over the rulemaking
• On April 21st that authority was transferred from the AG to our Agency.
• May 5th is when California OAL approved the transfer of CCPA regulations to title 11.6 under our jurisdiction in CPPA. This is a non-substantive change, but it represents the beginning of the Agency’s rulemaking role.
• Last 6 months we have developed draft rules with significant input from the public.
• Mostly complete and will discuss our timeline with the board.
• We are preparing for the formal rulemaking
• We still need to contract economists for economic impact as a part of the OAL Initial Statement of Reasons cost impact.

• Chair Urban: What is the process of the board with budget?
• Soltani: In the future, Strategic priorities and review them with the board. We still need the remaining complement of staff and the activities and events we may engage in.
• Person titled - LKG (Firm?) public comment: Is the initial July 1 rulemaking deadline still in place?
• Chair Urban: Generally we are not able to respond due to California rules.

• Course of Action for Upcoming Rulemaking Process
• The Office of Administrative Law (OAL) process:
• Notice of proposed rulemaking
• Minimum 45 day public comment ends
• Public hearing
• Additional PC/PHs (15 or 45 days)
• Final Package Submitted

• Question on process (Chair Urban): Regarding public hearings, do they need to occur during or after the 45 day comment period?
• Counsel: They can occur after. Many boards hold it on the 45th day. (45 day is minimum comment period)

• 1st meeting: initial announcement of proposed regulations of rulemaking to general public
• 2nd meeting: more substance discussion on rulemaking during the 45 day comment period
• Additional meetings: if there are changes. Those changes will need to be approved before they move forward. After the public comment period, we will meet again on those substantive changes.
• o it is too early to tell how many public hearings there will be in total, but effectively, it will be as many times as there are substantive changes to the initial package.
• Final meeting: presented for final approval so it could go to OAL with Final Statement of Reasons (FSOR).

• Anticipated Rulemaking Draft
• Chair Urban: The Board previously allocated a list of topics to this subcommittee that relate to needed updates to existing regulations, or that are otherwise connected to existing regulations but new to the CPRA. These can include the new right correction, right to limit the use of sensitive PI, updating existing definitions, making sure existing processes in regulations work with the new rights, etc.
• Sierra also called out regulations incorporate new CPRA provisions around sharing of PI, how to avoid dark patterns. She noted that other types of changes may seem more extensive than they actually are.
• Some are about reorganization and consolidation of existing requirements to integrate new materials more easily, make them easier to follow.
• Can anticipate some material that will restate the statute where they believe it will help the reader, providing context, etc. Ultimately, neither of these types of revisions are regulatory changes. Just provided or incorporated to help everyone understand and follow the proposed regulations.

• Anticipated Rulemaking Draft
• The Agency anticipates rules on administrative enforcement, audit authority, but not on defining “law enforcement agency approved investigation”. They have determined there is a need to issue rules on the administrative enforcement process, including on the probable cause hearing. 
• There won’t be rules on cybersecurity audits, privacy risk assessments or automated decision making in the initial package of rulemaking. The Agency needs more time to get those three topics right because it is important for business as pointed out in stakeholder sessions. The subcommittee will continue work on those topics and they will be part of a separate package in the future.
• Soltani: it is entirely possible there will be concurrent but overlapping timelines on these other items by the CPRA subcommittee. There may not be one end date, so when the Agency submits our initial package, our next package may be in process.
• Thompson: Individual meetings with board members are up to the individual board members, but these meetings are advised to be done with a member of staff and these comments (written or verbal) will need to be included in the rulemaking file.

• California Asian Chamber of Commerce:
• They are concerned over the uncertainty of these privacy regulations and their potential unintended consequences. Throughout the agency’s pre-rulemaking activities, they have not heard anything about the actual scope of regulations or the cost that needs to be shouldered by small businesses. The Cal Asian Chamber stated that regulations impact not only large companies, but also affect small business owners who have relied on digital tools and platforms to connect with customers and build their reputation in communities they serve. How are you reaching out to small businesses to make sure they are included in the rulemaking process? What is the economic impact to businesses? Important that the agency be transparent about how many businesses will be created and how many will be closed under the proposed regulations. We know that the statutory deadline is rapidly approaching. What is the agency’s plan to address the July 1 deadline, other than missing it? No response was provided to them.
• California Hispanic Chambers of Commerce:
• Similar to the Cal Asian Chamber, the Hispanic Chambers of Commerce shared that privacy regulations do not just impact large companies. They also impact business of all sizes that rely on online platforms to serve customers. They do not believe enough is being done to meet those businesses where they are. They asked that the Agency formally extend the July 1 deadline and extend the enforcement deadline as well to give small businesses ample time for feedback and for compliance. After July 1 the agency will be in violation of prop 24. How will the agency look to extend the deadline? Do not see any way where the agency can collect sufficient feedback by July and feel these regulations are too important to rush. They asked or stated the agency needs to start with getting a more complete understanding on the potential economic impact on small and diverse owned businesses.
• Unidentified member of the public:
• Businesses need adequate time to prepare for new rules. They believe there is some shift in the schedule from the July 1 timeframe, but businesses are all still expecting that they must comply by the beginning of 2023. Some sort of clarity around the expected time frame for when compliance is expected is helpful.