As you may recall, the California Privacy Rights Act ("CPRA") established a new state privacy regulatory agency, the California Privacy Protection Agency Board ("CPPA Board"), and the CPRA vests certain rulemaking authority (along with enforcement authority) to the CPAA Board. The CPPA Board has issued an invitation for preliminary comments from the public related to a wide swath of areas over which the CPPA Board has rulemaking authority. According to the invitation, comments may be used in developing new regulations under the CPRA, and determining whether changes to the existing regulations are needed to implement the CPRA.

Key topics for public comment include:

  • processing that presents a significant risk to consumers' privacy or security: cybersecurity audits and risk assessments performed by businesses;
  • matters of automated decision-making;
  • audits performed by the CPPA Board;
  • matters relating to consumers' rights, namely:
    • consumers' right to delete, correct, and know their data;
    • consumers' rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information;
    • consumers' rights to limit the use and disclosure of sensitive personal information;
  • information to be provided in response to a consumer request to know; and
  • definitions and categories of information and activities.

Comments can be submitted by email to or by mail to the CPPA, and must be submitted by November 8, 2021.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.