In a recently issued invitation for preliminary comments, the California Privacy Protection Agency (Agency) has solicited input on issues it should address in upcoming rulemaking pursuant to the California Privacy Rights Act of 2020 (CPRA). The Agency, which was established by the CPRA (adopted by state ballot initiative in November 2020), is tasked with implementing and enforcing the California Privacy Protection Act (CCPA), as amended by the CPRA. The Agency's invitation is an important opportunity for businesses regulated by the CCPA—which includes any business with more than $25 million in annual revenue that collects personal information from at least one California resident—as well as privacy advocates, to stake out a position on the regulatory framework that will govern interpretation and enforcement of the amended CCPA.

The Agency has suggested topics for comments that it considers particularly ripe for clarification in rulemaking. But it is inviting comments on any aspect of the CCPA/CPRA of significance to interested parties. Among other things, this is an opportunity to seek clarification of the Agency's own authority as investigator and enforcer. The deadline to submit comments is November 8, 2021.

Topics Outlined in the Invitation

In its invitation, the Agency outlined eight general topic areas for possible comments. Within each area, the Agency posed one or more questions that commenters might wish to address, which generally track the CPRA provisions directing the Agency to undertake rulemaking on specific issues. The eight areas covered are:

Processing that Presents a Significant Risk to Consumers' Privacy or Security: Cybersecurity Audits and Risk Assessments Performed by Businesses Automated Decision-making Audits Performed by the Agency Consumers' Rights to Delete, Right to Correct, and Right to Know Consumers' Rights to Opt-Out of the Selling or Sharing of Their Personal Information and to Limit the Use and Disclosure of their Sensitive Personal Information Consumers' Rights to Limit the Use and Disclosure of Sensitive Personal Information Information to be Provided in Response to a Consumer Request to Know Definitions and Categories

Key Questions

Although each of the topic areas merits and likely will receive commentary, the questions raised in certain of those areas stand out as ones that beg for public input. How the Agency resolves these questions in regulations critically impact what covered businesses need to do to steer clear of Agency enforcement actions in the years to come. Among these key questions are the following:

What constitutes a "significant risk" triggering cybersecurity audits and risk assessments? Under the CPRA, the Agency may require businesses to undertake cybersecurity audits and risk assessments only where "processing of consumers' personal information presents significant risk to consumers' privacy or security." The Agency is seeking commentary on what constitutes a "significant risk" triggering these obligations. Although some businesses may already perform these activities in the ordinary course, a broad interpretation of "significant risk" could impose expensive audit requirements on businesses where the benefits of the audits could be marginal. Providing the Agency with real-world risk-experience examples and data on the costs and benefits of cybersecurity audits and assessments could help prevent the Agency from imposing unrealistic and/or unduly burdensome mandates.

When would the risks to the privacy of the consumer outweigh the benefits of a business processing the consumer's personal information, such that such processing should be restricted or prohibited?

What activities should be deemed to constitute "automated decision-making technology" and/or "profiling"?

What information must businesses provide to consumers in response to access requests in order to provide "meaningful information about the logic" involved in the automated decision-making process?

What should be the scope of the Agency's audit authority?

Should the definition of "sensitive personal information" be updated or supplemented?

Should the examples of "personal information" be updated?

Are updates to the definition of "deidentified" and/or "unique identifier" merited? Currently, it is unclear whether "deidentified" data is (or should be) limited to data that was previously identifiable, or whether deidentified data is any information that cannot be linked to an individual, regardless of its history. Similarly, there is good reason to update the examples and definitions of "unique identifiers" to exclude, for example, dynamic IP addresses and other temporary identifiers that lose their identification potential after a short period of time.

Again, there is a very short timeframe in which to submit comments: the deadline for submission is November 8, 2021. We are available to advise if you are interested in submitting comments.

