On September 22, 2021, the California Privacy Protection Agency (CPPA or Agency)—the new agency established by the California Privacy Rights and Enforcement Act (CPRA)—released an Invitation for Preliminary Comments on Proposed Rulemaking. The CPRA amends and extends the CCPA and the privacy obligations for entities that do business in California that flow from it, including establishing the privacy agency to assume rulemaking authority from the California Attorney General. This step, while still part of preliminary rulemaking activity, can be seen as marking the beginning of a rulemaking process that will re-shape the privacy landscape in California. Businesses that currently are subject to the CCPA should pay close attention, as the new rulemaking process is tackling both updating existing CCPA regulations and adopting new regulations.
The CPPA is particularly interested in receiving comments on the following eight topics provided below. However, stakeholders may comment on “any area on which the Agency has authority to adopt rules.”
- Cybersecurity audit and risk assessment requirements for processing that presents a significant risk to consumers’ privacy or security;
- Automated decision-making;
- Agency authority to audit businesses’ compliance with the law;
- Consumers’ rights to delete, right to correct, and right to know;
- Consumers’ rights to opt-out of selling or sharing PI;
- Consumers’ rights to limit the use and disclosure of sensitive PI;
- Information to be provided in response to a consumer request to know specific pieces of PI; and
- Definitions of important terms and categories of information or activities covered by the statute.
For stakeholders that want to engage in this preliminary rulemaking activity, the deadline for submitting comments is November 8. The Agency will then start the formal rulemaking process, which will also include opportunities for public comment. Additionally, the CPPA anticipates holding public hearings, the dates and times of which have not yet been released. Final rules must be adopted by July 1, 2022.
As the California privacy landscape continues to be a moving target, companies will need to pay close attention to the new rules from the CPPA, as they work to come into compliance with the CPRA by January 1, 2023, when then new law goes into effect.