Newly Formed California Privacy Protection Agency Invites the Public to Comment on Proposed CPRA Rulemaking and Implementation

The newly formed California Privacy Protection Agency (CalPPA), created by the California Privacy Rights Act (CPRA) to enforce and implement California’s comprehensive consumer privacy law, has invited the public to comment on proposed CPRA rulemaking and implementation.

The public comment period closed November 8, 2021.

Comment Topics

The Agency invited comments on eight specific topic areas:

1. Definitions: Clarification of terms used in the CPRA, including “personal information,” “sensitive personal information,” and “sale/share”
2. Consumer Rights: Implementation of consumers’ rights to access, delete, correct, and opt-out
3. Sensitive Personal Information: Procedures for consumers to limit the use and disclosure of sensitive personal information
4. Contracts: Required provisions in contracts between businesses and service providers, contractors, and third parties
5. Risk Assessments: Requirements for data privacy risk assessments
6. Cybersecurity Audits: Requirements for annual cybersecurity audits
7. Automated Decision-Making: Rules around the use of automated decision-making technology, including profiling
8. Opt-Out Preference Signals: Guidance on honoring Global Privacy Control and other browser-based opt-out signals

Significance of the Rulemaking

The CPRA significantly expanded the scope and enforcement mechanism of California’s privacy law, including by:

• Creating the CalPPA as an independent enforcement agency (separating enforcement authority from the AG)
• Expanding consumer rights (adding rights to correct and to limit sensitive data use)
• Requiring cybersecurity audits and risk assessments
• Mandating rules around automated decision-making and profiling
• Creating new rules around “sharing” of personal information (not just selling)

The final CPRA regulations were adopted on March 29, 2023, after significant delays. See our later posts on the enforcement timeline and the enforcement appeal for updates on when these regulations took effect.

Implications for Businesses

Organizations subject to the CCPA/CPRA should monitor CalPPA rulemaking carefully, as the Agency has authority to adopt regulations that will significantly shape compliance obligations, particularly in areas like automated decision-making, risk assessments, and cybersecurity audits where detailed regulations are still forthcoming.