The California Privacy Protection Agency Board ('CPPA Board') issued, on 22 September 2021, an invitation for preliminary comments on proposed rulemaking under the California Privacy Rights Act of 2020 ('CPRA'). In particular, the CPRA amends and extends the California Consumer Privacy Act of 2018 ('CCPA'), and to implement the law, the CPPA Board was vested with the administrative power, authority, and jurisdiction to implement and enforce the CCPA, where responsibilities include updating existing regulations, and adopting new regulations. In this respect, the invitation calls on the public to submit comments related to any area on which the CPPA Board has authority to adopt rules, where comments will be used in developing new regulations, determining whether changes to existing regulations are necessary, and achieving the law's regulatory objectives in the most effective manner.

Specifically, the key topics for public comment include:

• processing that presents a significant risk to consumers' privacy or security: cybersecurity audits and risk assessments performed by businesses;
• matters of automated decision-making;
• audits performed by the CPPA Board;
• matters relating to consumers' rights, namely: 
  • consumers' right to delete, correct, and know their data;
  • consumers' rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information;
  • consumers' rights to limit the use and disclosure of sensitive personal information;
• information to be provided in response to a consumer request to know; and
• definitions and categories of information and activities.

Comments can be submitted by email to [email protected], or by mail to the CPPA, and must be submitted by 8 November 2021. 

You can read the invitation here, and access further details on CPPA Board regulations here.

UPDATE (10 November 2021)

EPIC and peer organisations submit comments for CPPA Board CPRA proposed rulemaking

The Electronic Privacy Information Center ('EPIC') and three peer organisations announced, on 9 November 2021, that they had submitted comments to the CPPA Board on its proposed rulemaking under the CPRA. In particular, the coalition urges the CPPA Board to, among other things:

• continue to protect consumers' rights and strengthen consumer privacy;
• impose rigorous risk assessment obligations on businesses whose data processing activities could reasonably harm individuals' privacy or security;
• maximise the transparency of automated decisionmaking systems and minimise the burdens on individuals who wish to opt out of such systems; and
• prevent any exceptions to user-directed limits on the use and disclosure of sensitive personal information from swallowing the rule.

You can read the press release and access the comments here.

UPDATE (12 November 2021)

NAI submits comments for CPPA Board CPRA proposed rulemaking

The National Advertising Initiative ('NAI') announced, on 9 November 2021, that it had submited comments to the CPPA Board on its proposed rulemaking under the CPRA. In particular, NAI's comments address, among other things, data risk assessments, cybersecurity audits, CPPA enforcement, the regulation of dark patterns, and consumer rights pertaining to the rights to opt-out of the sale or sharing of personal information and to limit the use and disclosure of sensitive personal information.

You can read the press release and access the comments here.