The California Privacy Rights Act of 2020 (“CPRA”) established a new state privacy regulatory agency, the California Privacy Protection Agency (“Agency”), which is responsible for issuing regulations implementing the CPRA (along with enforcement authority).
The CPPA has issued an Invitation for Preliminary Comments on Proposed Rulemaking from the public related to a various area over which the Agency has rulemaking authority. According to the invitation, comments may be used in developing new regulations under the CPRA, and determining whether changes to the existing regulations are needed to implement the CPRA.
The Agency indicated that it is particularly interested in receiving comments on the following topics:
- when a business’s processing presents a “significant risk to consumers’ privacy or security”;
- what should cybersecurity audits and risk assessments performed by businesses cover;
- define “automated decision-making,” how it should be disclosed to consumers and scope and process for consumer to “opt out”;
- Scope of audits performed by the Agency and policies and procedures in conducting such audits;
- Rules and procedures relating to the exercise of consumers’ rights, namely:
- consumers’ right to delete, correct, and know their data;
- consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information;
- consumers’ rights to limit the use and disclosure of sensitive personal information;
- scope of information to be provided in response to a consumer request to know specific pieces of information; and
- create or update definitions of important terms, categories of information or activities.
The Agency also published Tips for Submitting Effective Comments to help guide the process. As we saw with the CCPA rulemaking process, businesses now have an opportunity to be involved as the new agency begins drafting new regulations. Businesses with an interest in providing examples to show the Agency how certain regulations would negatively or positively impact business should consider submitting comments as part of this information gathering phase.
Comments can be submitted by email to email@example.com, or by mail to the Agency, and must be submitted by November 8, 2021.