The California Privacy Protection Agency (CPPA), which is responsible for issuing regulations implementing the California Privacy Rights Act (CPRA), has posted its approved discussion draft for seeking public comments in preparation for its CPRA rulemaking activities. The CPPA indicated that it is particularly interested in receiving comments on the following eight topics:
- Determining what processing presents a significant risk to consumers’ privacy or security, including details around the frequency, formatting, and submission of cybersecurity audits and risk assessments
- Automated decisionmaking, including broad questions related to consumers’ access and opt-out rights with respect to businesses’ use of automated decisionmaking technology
- Audits performed by the agency, including what the scope of the agency’s audit authority should be
- Consumers’ right to delete, right to correct, and right to know, focusing in particular on the correction right
- Consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information, with multiple questions related to the operation of a global “opt-out preference signal”
- Consumers’ rights to limit the use and disclosure of sensitive personal information, focusing in particular on whether there should be exceptions to this right
- Information to be provided in response to a consumer request to know, including a question on when access to specific pieces of personal information would be subject to the exception for requests involving disproportionate effort
- Definitions and categories, including clarification of the business purposes for which service providers and contractors may combine consumers’ personal information that was obtained from different sources and regulations (if any) to further define “dark patterns” that are ineffective in securing consumers’ consent
Comments also can cover any other area on which the Agency has authority to adopt rules. The deadline and procedures for submitting comments have not yet been announced, but the full text of the approved discussion draft outlining the comment topics is available on the CPPA’s website.
To assist in obtaining public feedback, the CPPA also anticipates holding a series of informal hearings. The places and times for these hearings have not yet been announced.
The CPPA Board emphasized that both the comment period and hearings are preliminary rulemaking activities. Additional opportunities for comment will follow publication of any proposed regulations or modifications.
The next CPPA public board meetings are scheduled for Monday, October 18th and Monday, November 15th.