The California Privacy Protection Agency (the “Agency” or CPPA), the new California state agency created under the California Privacy Rights Act of 2020 (CPRA) to oversee and enforce the California Consumer Privacy Act (CCPA) and the CPRA, has recently called for preliminary public comments on a proposed rulemaking under the CPRA. See the invitation from the Agency and details on how to provide comments; the deadline for submissions is Nov. 8, 2021.

The Agency is welcoming all comments about any area over which it has rulemaking authority but has stated that it is particularly interested in comments regarding new or undecided issues not already covered by the CCPA. The Agency has provided a list of topics as guidance for comments, including:

  • Cybersecurity audits and risk assessments performed by businesses;
  • Automated decision-making;
  • Audits performed by the Agency;
  • Consumers’ right to delete, right to correct, and right to know, and what information should be provided in a right to know request;
  • Consumers’ rights to opt out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information;
  • Consumers’ rights to limit the use and disclosure of sensitive personal information; and
  • The definitions and categories of information described in the CCPA/CPRA.

The Agency has also suggested a list of subtopics for each of the above categories of information it believes will be helpful in creating the new regulations. These questions include:

  • What the scope of the Agency’s audit authority should be;
  • How often, and under what circumstances, a consumer may request a correction to their personal information; and
  • What rules and procedures should be established to allow consumers to limit businesses’ use of their sensitive personal information?

The CPPA stated in its invitation that submitted comments “will assist the Agency in developing new regulations, determining whether changes to existing regulations are necessary, and achieving the law’s regulatory objectives in the most effective manner.” The slew of meetings the Agency has held in September, together with this notice of invitation to comment, serves as a reminder to companies that the CPRA is forthcoming, and that the Agency is taking a proactive role in overseeing it. The invitation also acts as an opportunity for companies to provide input on their concerns regarding the CPRA or proposed language for specific elements of the law. The Agency has until July 1, 2022, to finalize the regulations for the CPRA.