The California Privacy Protection Agency (CPPA), the newly formed state agency responsible for implementing the California Privacy Rights Act (CPRA), recently posted its first invitation for public comment on proposed rulemaking activities under the CPRA. Here is what you need to know:
- The invitation for preliminary comments marks the beginning of the CPRA rulemaking process, which will likely stretch well into next year.
- The preliminary comment period provides the best opportunity to submit comments on a broad range of topics related to the CPRA.
- The CPPA identified a number of specific topics of interest, but the public is permitted to submit comments related to any area within the CPPA’s authority to adopt rules.
- Preliminary comments are due by November 8, 2021.
The full text of the invitation for comments is available here. The invitation indicates that the CPPA is particularly interested in comments on the following topics relating to its rulemaking activities:
- Determining what processing of personal information creates a significant risk to the consumer’s privacy or security; when those risks to the consumer outweigh the benefits to a business; and questions regarding submissions of cybersecurity audits and risk assessment submissions from businesses, including the frequency and scope of those submissions.
- What activities should be considered “automated decisionmaking” and what should be the scope of consumers’ access to information and opt-out ability regarding automated decisionmaking.
- What scope, processes, safeguards, and selection criteria the CPPA should adopt regarding its audit authority.
- Consumers’ right to delete, right to correct, and right to know regarding their personal information held by businesses, with questions regarding the frequency and circumstances in which a consumer may request a correction to their personal information, what steps businesses must take to respond to a request for correction, and when a business should be exempted from an obligation to take action in response to a request.
- Consumers’ right to opt out of the “selling” or “sharing” of their personal information, with a focus on the process and technical requirements for opt-out preference signals.
- Consumers’ right to limit the use and disclosure of sensitive personal information, including what should constitute sensitive information and what uses or disclosures of personal information should remain permissible notwithstanding the consumer’s preferences.
- Information to be provided in response to a consumer’s request to know, specifically what standard should govern a business’s determination that providing information beyond a 12-month window is impossible or would involve a disproportionate effort.
- Updates and additions to the definitions and categories covered by the CCPA including specifically: personal information, sensitive personal information, deidentified, unique identifiers, precise geolocation, and dark patterns.
The notice expressly calls for comments about the topics outlined above but invites the public to submit comments related to any area on which the CPPA has the authority to adopt rules.
Of note, some areas where the CPPA has the authority to adopt rules but that were not specifically referenced in the invitation include: Establishing exceptions regarding the disclosure of trade secrets in response to consumer requests; consumers’ right to no retaliation; rules to ensure that notices that businesses are required to provide are accessible and easily understood; identifying the business purposes for which service providers and contractors may use consumer personal information received pursuant to a written contract for their own business purposes; reviewing Insurance Code provisions relating to consumer privacy; and harmonizing the regulations governing opt-out mechanisms.
The CPPA Board anticipates holding a series of informal hearings as an additional means of receiving public feedback and has emphasized that both the hearings and comment period are preliminary rulemaking activities. The board will provide additional opportunities for comment following the publication of proposed regulations or modifications.
The deadline for submitting comments is Monday, November 8, 2021 and comments can be submitted by the following means:
Comments can be emailed to firstname.lastname@example.org with “PRO 01-21” in the subject line.
Comments can be mailed to
California Privacy Protection Agency
Attn: Debra Castanon
915 Capitol Mall, Suite 350A
Sacramento, CA 95814
The next CPPA public board meetings are scheduled for Monday, October 18 and Monday, November 15.
For more information, advice concerning your CPRA compliance efforts, or assistance preparing or submitting a public comment to the CPPA, please contact Tracy Shapiro, Eddie Holman, or another member of the firm’s privacy and cybersecurity practice.