Home > Insights > Blogs > Cybersecurity Bits and Bytes > CPPA invites comments on various privacy topics
broken-data-security-650x510

CPPA invites comments on various privacy topics

Elizabeth Casale James Shreve Luke Sosnicki October 21, 2021

Links

Contributors

Contributors

David Duffy

David Duffy

Milada Goturi

Milada Goturi

Matt Hafter

Matt Hafter

Mark Mattingly

Mark Mattingly

Jennifer Post

Jennifer Post

James Shreve

James Shreve

Luke Sosnicki

Luke Sosnicki

RELATED EVENTS

RELATED EVENTS

May 17
2023

The Value of Cyber and Privacy Diligence
March 28
2023

Safeguarding the Data and Your Compliance Program – USED and GLBA
December 14
2022

Countdown to CPRA
November 15
2022

DOJ Cyber Fraud Initiative - Cyber Faces the FCA Hammer

The California Privacy Rights and Enforcement Act (“CPRA”), formerly known as Proposition 24, passed on November 3, 2020. The CPRA is intended to supplement privacy protections for Californians that were first established by the California Consumer Privacy Act (“CCPA”). The CPRA will be effective January 1, 2023 with a July 1, 2023 enforcement date. We have previously written about the CPRA and the CCPA.

Among other provisions, the CPRA created the California Privacy Protection Agency (“Agency”). The Agency is tasked with the responsibility for updating existing CCPA regulations issued by the California Attorney General’s Office and adopting new regulations for CPRA provisions.

On September 22, 2021, the Agency asked for the first round of public comments as part of the preliminary rulemaking process. The full Invitation for Preliminary Comments can be found here. There is no proposed rulemaking action at this time; rather, stakeholders are invited to comment on any topic pertaining to California data privacy law. The CPPA Agency asked for comments on several specific topics. There will also be at least one additional opportunity for public comment as part of the rulemaking process before any regulations are finalized.

The eight specific topics the CPPA Agency requested comments on are:

  1. Processing that presents a significant risk to consumers’ privacy or security: cybersecurity audits and risk assessments performed by businesses
  2. Automated decision-making
  3.  Audits performed by the Agency
  4. Consumers’ right to delete, right to correct, and right to know
  5. Consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information
  6. Consumers’ rights to limit the use and disclosure of sensitive personal information
  7. Information to be provided in response to a consumer request to know (specific pieces of information)
  8. Clarifications to definitions and categories under CCPA and CPRA

The Agency also requested any additional comments that may relate to the Agency’s initial rulemaking. The Agency asks that all stakeholders submit comments by Monday, November 8, 2021

Comments may be submitted via email to regulations@cppa.ca.gov with “PRO 01-21” in the subject line, or via mail to:

California Privacy Protection Agency
Attn: Debra Castanon
915 Capitol Mall, Suite 350A
Sacramento, CA 95814

Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.