The California Privacy Protection Agency (CPPA), which is responsible for issuing regulations implementing the California Privacy Rights Act (CPRA), has posted its approved discussion draft for seeking public comments in preparation for its CPRA rulemaking activities.  The CPPA indicated that it is particularly interested in receiving comments on the following eight topics:

  1. Determining what processing presents a significant risk to consumers’ privacy or security, including details around the frequency, formatting, and submission of cybersecurity audits and risk assessments
  2. Automated decisionmaking, including broad questions related to consumers’ access and opt-out rights with respect to businesses’ use of automated decisionmaking technology
  3. Audits performed by the agency, including what the scope of the agency’s audit authority should be
  4. Consumers’ right to delete, right to correct, and right to know, focusing in particular on the correction right
  5. Consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information, with multiple questions related to the operation of a global “opt-out preference signal”
  6. Consumers’ rights to limit the use and disclosure of sensitive personal information, focusing in particular on whether there should be exceptions to this right
  7. Information to be provided in response to a consumer request to know, including a question on when access to specific pieces of personal information would be subject to the exception for requests involving disproportionate effort
  8. Definitions and categories, including clarification of the business purposes for which service providers and contractors may combine consumers’ personal information that was obtained from different sources and regulations (if any) to further define “dark patterns” that are ineffective in securing consumers’ consent

Comments also can cover any other area on which the Agency has authority to adopt rules.  The deadline and procedures for submitting comments have not yet been announced, but the full text of the approved discussion draft outlining the comment topics is available on the CPPA’s website.

To assist in obtaining public feedback, the CPPA also anticipates holding a series of informal hearings.  The places and times for these hearings have not yet been announced.

The CPPA Board emphasized that both the comment period and hearings are preliminary rulemaking activities.  Additional opportunities for comment will follow publication of any proposed regulations or modifications.

The next CPPA public board meetings are scheduled for Monday, October 18th and Monday, November 15th.

Print:
EmailTweetLikeLinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.