720-891-1663
Return to list of client alerts
When California voters approved the California Privacy Rights [and enforcement] Act (CPRA) last November, they also created the California Privacy Protection Agency (CPPA). The CPPA is responsible for creating and enforcing the enabling rules for CPRA.
In late September the agency released an Invitation for Preliminary Comments on Proposed Rulemaking and in early October the agency announced its new executive director who will oversee this process.
In the Pre-Rulemaking Invitation for Comments, the CPPA makes clear that stakeholders may comment on “any area on which the Agency has authority to adopt rules.” The Agency has highlighted eight specific topics in which it is particularly interested, including:
(1) processing that presents a significant risk to consumers’ privacy or security, cybersecurity audits, and risk assessments performed by business;
(2) automated decisionmaking;
(3) audits performed by the agency;
(4) consumers’ right to delete, right to correct, and right to know;
(5) consumers’ right to opt out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information;
(6) consumers’ rights to limit the use and disclosure of sensitive personal information;
(7) information to be provided in response to a consumer request to know (specific pieces of information); and
(8) definitions and categories.
These are all important topics to companies doing business in California. Some will want to provide input to the commission but everyone will want to watch the outcome to see if or how it impacts their data handling, at least in California.
You can find more information on the rule making topics and potential impact in an article written by the law firm Wiley Rein.