Interested parties have until November 8 to submit comments on proposed topics of CPRA rulemaking including new automated decisionmaking, risk assessments, new consumer rights, and sensitive personal information.

On September 22, the newly minted California Privacy Protection Agency (“CPPA”) sent out an invitation for preliminary comments on proposed topics of rulemaking under the California Privacy Rights Act (“CPRA”).

California privacy law is the most comprehensive privacy law in the United States. With the advent of the CPRA, businesses will have to comply with new privacy obligations beginning on Jan. 1, 2023. The invitation for comment, and subsequent comment periods, will give businesses and the public an opportunity to shape those obligations.

In November 2020, California voters approved the CPRA ballot imitative, which amended the already existing California Consumer Protection Act (“CCPA”). Under the CCPA, the California Attorney General was granted consumer privacy rulemaking authority. However, the CPRA created the CPPA and transferred consumer privacy rulemaking authority from the California Attorney General to the CPPA.

A recently passed CPRA amendment clarifies that the CPPA assumes rulemaking authority six months after the agency provides notice to the California Attorney General. Prior to the amendment, it was unclear whether the CPPA already assumed rulemaking authority on July 1, 2021 or six months after notice to the California Attorney General.

Below are the topics that the CPPA seeks to regulate, at least initially. According to the CPPA, the CPRA rulemaking process largely focuses on areas not already covered by existing CCPA regulations. All interest parties should submit their comments to [email protected] by including PRO 01-21 in the subject line.

Definitions

The CPPA seeks comments to help define new terms under the CPRA and to expand on concepts that are already defined.

Specifically, the CPPA is looking for input on how the following terms and concepts should be defined: (1) personal information (“PI”); (2) sensitive personal information (“SPI”); (3) deidentified information; (4) unique identifiers; (5) precise geolocation; (6) intentionally interact; (7) law enforcement agency approved investigation; (8) dark patterns; and (9) business purposes that allow a business, service provider, or contractor to combine PI obtained from other sources with information they collect.

Significant Risks to Consumer Privacy or Security

Under the CPRA, businesses that process PI in a way that creates significant risk to the consumer’s privacy or security must (1) perform annual cybersecurity audits; and (2) submit regular risk assessments to the CPPA.

The CPPA seeks comments that identify the types of processing that pose significant risks to consumer privacy or security.

As for the requirements for such processing, the CPPA seeks (1) input on what the annual audits should cover; (2) suggested processes to ensure thorough and independent audits; (3) how often risk assessments should be submitted; (4) what risk assessments should cover; and (5) how businesses should properly weigh the pertinent risks and benefits of such processing.

Specifically, the CPPA seeks comments that describe the type(s) of processing that possesses such a significant risk that it should be restricted or prohibited.

Automated Decisionmaking

New under the CPRA, businesses will need to provide consumers access and opt-out rights with respect to automated decisionmaking technology. Specifically, the CPRA’s automated decisionmaking provisions require businesses to provide a consumer with “meaningful information about logic” used in automated decisionmaking. Therefore, the CPPA seeks input on what constitutes meaningful information.

The CPPA’s invitation for comment also seeks input on (1) how automated decisionmaking should be defined; (2) when consumers should be allowed to access information related to such decisionmaking; (3) the scope of a consumer’s right to opt-out of automated decisionmaking; and (4) any related procedures.

CPPA Audits

The CPRA grants the CPPA authority to audit a business’s compliance with the CPRA and applicable privacy laws and regulations.

In developing regulations related to their audit authority, the CPPA seeks input on (1) the scope of their audit authority; (2) procedures the CPPA must follow, including any safeguards to protect PI; and (3) the criteria the CPPA should use to determine what businesses to audit.

Consumer Rights

Additionally, the CPRA modified consumer privacy rights, expanding on those rights granted under the CCPA.

  • Right to Access, Correction, and Deletion: The right to access and deletion already exists under the CCPA, while the CPRA adds the right to correction. The CPPA seeks input on (1) whether new rules should be crafted or if changes are needed to already existing rules; (2) how often a consumer should be allowed to request deletion; and (3) how a consumer can supplement their collected PI with a writing if their request is denied.

The CPRA also provides circumstances where a business can decline to delete a consumer’s PI. To help clarify those circumstances, the CPPA seeks comments to describe when deletion is impossible, requires disproportionate effort, or is related to accurate PI.

  • Right to Opt-Out of Sale or Sharing: Currently, consumers have a right to opt-out of the sale of their PI. The CPRA expands on this right. The CPPA seeks input on (1) technical specifications and requirements related to the opt-out rights; (2) technical specifications and requirements related to age-related opt out rights; and (3) how a business should provide options to a consumer.
  • Right to Limit Use and Disclosure of SPI: The CPRA formally introduced SPI as a category of PI; instituting new applicable consumer rights and obligations. Specifically, a consumer has the right to limit a business’s use or disclosure of that consumer’s SPI.

The CPPA seeks input on (1) the rules or procedures a consumer must follow to allow them to limit a business’s use of their SPI; (2) circumstances where SPI is not collected or processed for the purpose of inferring characteristics and therefore not subject to the opt-out right; and (3) what uses or disclosures should be exempt from the right.

Consumer Requests

Under the CCPA, businesses responding to consumer requests for information are required to provide consumers with the information they have collected about that consumer in the preceding 12 months. The CPRA expands the timeframe unless doing so is impossible or requires disproportionate effort.

The CPPA seeks input on when providing information beyond the preceding 12 months is impossible or requires disproportionate effort.