CPPA Seeks Preliminary Comments on Rulemaking for the CPRA
The newly formed California Privacy Protection Agency (“CPPA”) issued an Invitation for Preliminary Comments on Proposed Rulemaking under the California Privacy Rights Act of 2020 (the “CPRA”), on September 22. Earlier this year we detailed the specifics of the CPRA, and now the CPPA, which was established under the CPRA, has initiated its critical rule making function to further detail and provide understanding of the provisions of the CPRA.
In particular, the CPPA is interested in receiving public comments on areas of the CPRA that have sparse statutory language as to the parameters of a business’ obligations and in some instances require additional regulations to be issued per the statutory language. The specific areas the CPPA is seeking comment on include:
- Performance of Annual Security Audits. The CPRA requires businesses to perform annual cybersecurity audits that are thorough and independent when there is a significant risk to consumers’ privacy or security, where the size and complexity of the business and nature of processing activities is taken into account. Aside from this standard, the CPRA does not set forth further parameters, rather, the law relies on subsequently issued regulations to define these parameters. To this end, the CPPA has specifically asked for input from business’ as to what they consider significant risk and what standards would classify an audit as thorough and independent.
- Submission of Risk Assessments. The CPRA requires businesses to submit risk assessments to the CPPA on a regular basis. The risk assessment must take into account the processing of personal information that poses significant risk to consumer’s privacy, including evaluation of (i) whether the processing involves sensitive personal information, and (ii) the benefit of the processing to the business, the consumer, other stakeholders, and the public, versus the cost of the potential risks to the rights of the consumer associated with such processing. These risk assessments must have a goal of restricting processing if the costs outweigh the benefits. The CPPA has specifically asked businesses for comment as to what type of processing triggers submission of a risk assessment, as well as factors to evaluate the cost / benefit analysis.
- Sensitive Personal Information. One of the major changes implemented by the CPRA was the expansion of rights to consumers with respect to consumers’ sensitive personal information and the ability to limit a business’ activities with respect to the processing, sharing, or use of sensitive personal information. In particular, the CPPA is seeking input from businesses regarding the rules and procedures that should be in place with respect to opting out of use of sensitive personal information, including the parameters for defining technical specifications the signal an opt-out.
The full text of the CPPA Invitation can be found here. We will continue follow the CPRA rule making process as it progresses.