Photo of Sheila MillarPhoto of Tracy Marshall

The newly established California Privacy Protection Agency (the Agency) is soliciting public comments on a number of issues, as required by the California Privacy Rights Act (CPRA) that was passed by ballot initiative in November 2020. CPRA expands the rights afforded to California residents and the obligations imposed on businesses under the California Consumer Privacy Act (CCPA) and directs the Agency to adopt rules to address CPRA’s new provisions. The Agency’s Notice of Invitation for Preliminary Comments, published on September 22, 2021, stresses that the request is not part of a proposed rulemaking but rather is a preliminary step, as public input “will assist the Agency in developing new regulations, determining whether changes to existing regulations are necessary, and achieving the law’s regulatory objectives in the most effective manner.”

Comments are due November 8, 2021. Stakeholders can submit comments on any aspects of the CCPA, but the Agency is particularly interested in feedback on the following:

Processing that presents a significant risk to consumers’ privacy or security: cybersecurity audits and risk assessments performed by businesses. The Agency’s questions are directed primarily at what cybersecurity audits and risk assessments performed by businesses should cover, what steps businesses should take, and the consequences if a business determines that the risks of processing a consumer’s privacy outweigh the benefits to the business.

Automated decision-making. CPRA confers rights to consumers beyond those adopted under the CCPA. CPRA requires the Agency to adopt regulations governing consumers’ access to information about a business’ use of automated decision-making technology or profiling and consumers’ right to opt-out. The Agency seeks comments on what activities should be deemed automated decision-making technology or profiling, the extent of a consumer’s opt-out rights, and what information businesses should provide to consumers in response to an access request.

Audits of CCPA compliance. CPRA authorizes the Agency to audit business’ compliance with the CCPA. Feedback is sought regarding the scope of the Agency’s audit authority, the processes it should follow, and the safeguards it should employ to protect consumers’ personal information from disclosure to an auditor.

Consumer right to correct personal information. CPRA requires additional rulemaking on a consumer’s right to correct the personal information a business has collected, which is in addition to existing rights to know what personal information has been collected and to delete personal information. The Agency asks what changes or new rules and procedures should be adopted to allow consumers to request corrections of personal information, how often and under what circumstances consumers should be allowed to request correction, and what steps a business should take in response.

Consumer rights to limit the use and disclosure of sensitive personal information. The Agency seeks input on what rules and procedures should be established to allow consumers to limit use of their sensitive personal information and how businesses should establish that a consumer is under 13 or between 13 and 16.

Information to be provided in response to a consumer’s request to know. CPRA generally requires that responses to a consumer request cover the 12 months prior to the request, but as of January 1, 2022, consumers may request information beyond the 12-month window. Businesses must comply unless it is impossible or disproportionately difficult. The Agency asks for input on what standard a business should apply in making such a determination.

Definitions and categories. The Agency also welcomes comments on what updates or additions, if any, should be made to the categories of “personal information” under CCPA, particularly to the categories of “sensitive personal information,” “deidentified,” and/or “unique identifier.”

While the request for comments is a preliminary step, it may prove especially helpful for affected businesses to offer practical perspectives on compliance implications as well as on the costs and benefits of different options. Public comments received will be posted on the Agency’s website. The Agency will invite additional public feedback on any proposed regulations or modifications once it publishes a notice of proposed rulemaking.