At the CPPA board meeting last week, the agency adopted the regulations and directed the staff to file the rulemaking package with the Office of Administrative Law (“OAL”). Before these regulations can become effective (and therefore enforceable), the OAL must complete its review of the regulations. It has 30 working days to complete its review of the regulations. Even though the CPPA adopted the regulations, staff noted that the regulations will be subject to future rulemakings, including with respect to employee benefits and dark patterns.
Notably, the board also approved a motion to direct staff to release a public draft of preliminary rulemaking questions concerning risk assessments, cybersecurity audits, and automated decisionmaking.