CPRA Regulations: California Privacy Protection Agency Commences Preliminary Rulemaking ProcessKeypoint: The California Privacy Protection Agency initiates preliminary rulemaking activities under the California Privacy Rights Act.

On Wednesday, September 22, 2021, the California Privacy Protection Agency (Agency) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020.

California voters approved the California Privacy Rights Act (CPRA) in November 2020. The CPRA, which goes into effect on January 1, 2023, significantly revises the California Consumer Privacy Act (CCPA).

The CPRA creates the Agency and vests it with issuing regulations on twenty-two topics by July 1, 2022. For reference, the CCPA required the California Attorney General’s office to issue regulations on seven (plus two permissive) topics.

The Invitation seeks “input from stakeholders” on “any area on which the Agency has authority to adopt rules.” However, the Agency is “particularly interested” in the following eight topics:

  1. Processing that Presents a Significant Risk to Consumers’ Privacy or Security: Cybersecurity Audits and Risk Assessments Performed by Businesses
  2. Automated Decisionmaking
  3. Audits performed by the Agency
  4. Consumers’ Right to Delete, Right to Correct, and Right to Know
  5. Consumers’ Rights to Opt-Out of the Selling or Sharing of Their Personal Information and to Limit the Use and Disclosure of their Sensitive Personal Information
  6. Consumers’ Rights to Limit the Use and Disclosure of Sensitive Personal Information
  7. Information to Be Provided in Response to a Consumer Request to Know (Specific Pieces of Information)
  8. Definitions and Categories

The Invitation provides further explanation for each of the eight topics. The deadline to submit comments is November 8, 2021.