Rulemaking: How it Works and How to Get Involved

Published: Nov 22, 2024

At CPPA’s Board Meeting on November 8, 2024, the Agency adopted new data broker regulations and formally advanced a rulemaking package to update existing California Consumer Privacy Act (CCPA) regulations and proposes regulations for cybersecurity audits, risk assessments, automated decisionmaking technology, and insurance companies.  

You might be thinking — these are significant new rules that might affect me. What if I want to participate or give feedback? The answer is rulemaking is an open, transparent, and interactive process. Everyone is invited to weigh in on proposed regulations, and CPPA encourages you to get involved. Let’s dive into how it works and how to provide comments.  

Rulemaking is a government process that gives state agencies the authority to create regulations that implement, interpret, or specify existing laws. CPPA is directed by statute to engage in rulemaking that advances the purposes of the California Consumer Privacy Act of 2018, as well as implement and administer the Delete Act. 

The rulemaking process begins when a state agency drafts regulations based on its statutory authority. Once the regulations are ready to enter formal rulemaking, a notice package is submitted to the Office of Administrative Law (OAL). OAL is an independent, neutral state agency that reviews regulations to ensure compliance with the Administrative Procedures Act (APA) — the law that guides the rulemaking process. Once the notice package is submitted, the regulations enter formal rulemaking which requires a minimum 45-day public comment period. 

This is where you come in! You can review the proposed regulations posted on the Agency’s website and submit a written public comment via mail or email to the Agency (or orally in the case of a public hearing). Your comment can include an explanation of your support or opposition to the proposed regulations, as well as suggestions for how the regulations can be improved. The Agency must consider all comments and may make modifications if necessary.  

If the Agency makes modifications after the 45-day comment period, another 15-day comment period will follow during which you can submit another comment. If further modifications are made after that, another 15-day public comment period is opened, and so on, until the proposed regulation text is finalized. 

After that, the final rulemaking package is submitted to OAL. All comments will be included in the submission to OAL, along with the Agency’s official response to any objections or suggestions. OAL then has 30 business days to review the proposed regulations and make sure they comply with the APA. 

If OAL finds an issue with the regulations, the Agency can address the issue and resubmit the proposed regulations. Once OAL approves the rulemaking package, the regulations become official and go into effect shortly afterward.  

Below, you can watch a video that gives a brief summary of the rulemaking process, as well as helpful tips for providing effective public comment during the formal rulemaking period. Find more helpful information about making public comment or your privacy rights on our Resources page

We hope this overview is a useful resource for understanding the rulemaking process. If you would like to get involved, please view our current rulemaking activity on the Laws & Regulations page of the CPPA website. Comments on current rulemaking can be submitted by email to regulations@cppa.ca.gov. 

If you have any questions, please contact us at info@cppa.ca.gov.