California voters passed the California Privacy Rights Act (CPRA) on the November 2020 ballot. The CPRA brought with it amendments and additions to the existing privacy framework set out under the California Consumer Privacy Act (CCPA). The CPRA also established an independent supervisory authority in the shape of the California Privacy Protection Agency (CPPA) to enforce the CCPA. The agency’s responsibilities also include adopting new regulations as well as updating existing regulations.

On September 22, 2021, the CPPA invited the public to submit comments on proposed rulemaking under the CPRA relating to several key topics. The CPPA has noted that the comments will help with the development of new regulations and an understanding of the necessity to amend existing regulations with a particular interest in issues not already covered by CCPA regulations. The invitation for public comment will also help the CPPA determine whether the objectives of the CPRA are being met effectively.

CPPA Topics for Public Comment

As part of the call for public comment, the CPPA has established a number of questions that will help in the rulemaking process. The topics and questions outlined by the CPPA aim to give commenters initial direction for their input, however, stakeholders can comment on topics not covered in the document. Alongside comments on rulemaking, the public is also invited to propose language for new regulations and for changes to existing regulations.

The topics put forward by the CPPA for public comment include:

  • Cybersecurity audits and risk assessments for processing that presents a significant risk to consumers’ privacy or security:
    • This includes what organizations should be required to include in audits and risk assessments and whether processing should be restricted or prohibited when it presents a significant risk to consumer privacy.
  • Activities that involve automated decision making and profiling
    • In particular, what activities fall under the definition of automated decision making, what should be provided in access requests related to automated decision making, and the scope of the opt-out rights.
  • The CPPA’s authority to conduct audits
    • This includes the scope of the CPPA’s authority, the criteria used when deciding when to audit, and safeguards used when disclosing consumers’ personal information to auditors.
  • Consumer rights: Right to delete, right to correct, and right to know
    • Among other things relating to consumer rights, the CPPA is seeking public comment on procedures for correcting inaccurate personal information, how businesses should respond to such requests, and when exemptions should apply to businesses.
  • Consumers’ right to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information
    • How can consumers limit the use of sensitive personal information, requirements for opt-out preferences in relation to the sale or sharing of personal information, and in cases of personal information relating to minors. The CPPA also seeks comments on how to process opt-out requests as well as options for consumers who have previously opted-out to give consent to the sale of sharing of their personal information.
  • Consumers’ right to limit the use and disclosure of sensitive personal information
    • The public is invited to comment on the collection or processing of sensitive personal information that will not be subject to the right to limit use and disclosure and the scope of the use of sensitive personal information.
  • Information to be provided in response to a consumer’s request to know
    • This includes comments on how businesses can determine that providing information beyond the 12-month window outlined by the CPRA would be “impossible” or “would involve disproportionate effort.”
  • Definitions and categories
    • The CPPA is also seeking comment on the potential amendment to several key definitions and terms including:
      • Personal information
      • Sensitive personal information
      • Deidentified
      • Unique identifier
      • Designated methods for submitting requests
      • Intentional interactions
      • Precise geolocation

The CPPA also welcomed public comment on its initial rulemaking in any area not outlined above. Comments should be submitted to the CPPA through mail or email by November 8, 2021.

Further reading on CPRA Regulations:

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on CCPA and CPRA regulations.