The California Privacy Rights and Enforcement Act (“CPRA”), formerly known as Proposition 24, passed on November 3, 2020. The CPRA is intended to supplement privacy protections for Californians that were first established by the California Consumer Privacy Act (“CCPA”). The CPRA will be effective January 1, 2023 with a July 1, 2023 enforcement date. We have previously written about the CPRA and the CCPA.
Among other provisions, the CPRA created the California Privacy Protection Agency (“Agency”). The Agency is tasked with the responsibility for updating existing CCPA regulations issued by the California Attorney General’s Office and adopting new regulations for CPRA provisions.
On September 22, 2021, the Agency asked for the first round of public comments as part of the preliminary rulemaking process. The full Invitation for Preliminary Comments can be found here. There is no proposed rulemaking action at this time; rather, stakeholders are invited to comment on any topic pertaining to California data privacy law. The CPPA Agency asked for comments on several specific topics. There will also be at least one additional opportunity for public comment as part of the rulemaking process before any regulations are finalized.
The eight specific topics the CPPA Agency requested comments on are:
- Processing that presents a significant risk to consumers’ privacy or security: cybersecurity audits and risk assessments performed by businesses
- Automated decision-making
- Audits performed by the Agency
- Consumers’ right to delete, right to correct, and right to know
- Consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information
- Consumers’ rights to limit the use and disclosure of sensitive personal information
- Information to be provided in response to a consumer request to know (specific pieces of information)
- Clarifications to definitions and categories under CCPA and CPRA
The Agency also requested any additional comments that may relate to the Agency’s initial rulemaking. The Agency asks that all stakeholders submit comments by Monday, November 8, 2021.
Comments may be submitted via email to email@example.com with “PRO 01-21” in the subject line, or via mail to:
California Privacy Protection Agency
Attn: Debra Castanon
915 Capitol Mall, Suite 350A
Sacramento, CA 95814
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.