The California Privacy Protection Agency (CPPA), which is responsible for issuing regulations implementing the California Privacy Rights Act (CPRA), has posted its approved discussion draft for seeking public comments in preparation for its CPRA rulemaking activities.  The CPPA indicated that it is particularly interested in receiving comments on the following eight topics:

  1. Determining what processing presents a significant risk to consumers’ privacy or security, including details around the frequency, formatting, and submission of cybersecurity audits and risk assessments
  2. Automated decisionmaking, including broad questions related to consumers’ access and opt-out rights with respect to businesses’ use of automated decisionmaking technology
  3. Audits performed by the agency, including what the scope of the agency’s audit authority should be
  4. Consumers’ right to delete, right to correct, and right to know, focusing in particular on the correction right
  5. Consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information, with multiple questions related to the operation of a global “opt-out preference signal”
  6. Consumers’ rights to limit the use and disclosure of sensitive personal information, focusing in particular on whether there should be exceptions to this right
  7. Information to be provided in response to a consumer request to know, including a question on when access to specific pieces of personal information would be subject to the exception for requests involving disproportionate effort
  8. Definitions and categories, including clarification of the business purposes for which service providers and contractors may combine consumers’ personal information that was obtained from different sources and regulations (if any) to further define “dark patterns” that are ineffective in securing consumers’ consent

Comments also can cover any other area on which the Agency has authority to adopt rules.  The deadline and procedures for submitting comments have not yet been announced, but the full text of the approved discussion draft outlining the comment topics is available on the CPPA’s website.

To assist in obtaining public feedback, the CPPA also anticipates holding a series of informal hearings.  The places and times for these hearings have not yet been announced.

The CPPA Board emphasized that both the comment period and hearings are preliminary rulemaking activities.  Additional opportunities for comment will follow publication of any proposed regulations or modifications.

The next CPPA public board meetings are scheduled for Monday, October 18th and Monday, November 15th.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.