On September 22, 2021, the California Privacy Protection Agency (“CPPA” or “Agency”) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020 (“CPRA”). The CPPA was established by the CPRA, which vested the Agency with full administrative power, authority and jurisdiction to implement and enforce the CCPA. The Agency’s responsibilities include updating existing regulations and adopting new regulations.

The CPPA is seeking input from stakeholders in developing regulations implementing the CCPA as amended by the CPRA, including both new regulations and potential changes to existing regulations. The CPPA is particularly interested in comments on “new and undecided issues” not already covered by the existing CCPA regulations, including:

  • Processing activities that present significant risk to consumers’ privacy or security;
  • Cybersecurity audits and risk assessments performed by businesses;
  • Automated decisionmaking;
  • Audits performed by the CPPA;
  • Consumers’ rights to delete, correct and know their personal information;
  • Consumers’ rights to opt out of the selling or sharing of their personal information;
  • Consumers’ rights to limit the use and disclosure of their sensitive personal information;
  • Information to be provided in response to a consumer request to know (specific pieces of information); and
  • Definitions of certain terms and categories of information covered by the CCPA/CPRA (including the categories of “personal information” and “sensitive personal information” specified in the law and the definition of “dark patterns”).

The CPPA invites interested parties to submit comments on the above topics or any other topic related to the Agency’s initial rulemaking by November 8, 2021. The Agency’s invitation includes a Tips for Submitting Effective Comments guide for parties to follow in submitting their comments.