Yesterday, the California Privacy Protection Agency ("CPPA") released a formal invitation for stakeholders to submit preliminary comments on proposed rulemaking under the California Privacy Rights Act ("CPRA"). Comments are due by November 8, 2021.
As a quick recap, last November California voters passed the CPRA, which will replace the existing California Consumer Privacy Act ("CCPA") in January 2023. Under the CPRA, California's new privacy enforcement agency, the CPPA, must adopt regulations governing the CPRA by July 1, 2022.
To be clear, the CPPA has yet not issued proposed regulations for the CPRA. Rather, this invitation asks stakeholders to provide input on specific topics that will assist the CPPA in drafting proposed regulations. Stakeholders should have opportunity to comment on proposed regulations once drafted.
Some of topics for which the CPPA seeks input include:
- Cybersecurity Audits and Risk Assessments
- Automated Decisionmaking
- Auditing by the CPPA
- Consumers Rights to Know, Correct, and Delete
- Technical Specifications for Opt-Outs of Sales and Sharing
- Sensitive Personal Information
- Updating of Definitions and Categories
The CPPA also invites comments on topics not expressly identified by the CPPA.
Companies and other stakeholders that engage in data processing activities that may be impacted by the CPRA should carefully review the invitation and consider submitting comments to the CPPA.
Comments will assist the Agency in developing new regulations, determining whether changes to existing regulations are necessary, and achieving the law’s regulatory objectives in the most effective manner