Last week, the California Privacy Protection Agency (the “Agency”) invited public comment on its preliminary rulemaking. As previously discussed, the California Privacy Rights Act (“CPRA”) established the Agency and tasked it with adopting additional implementing regulations and enforcing the California Consumer Privacy Act (“CCPA”).

The CPRA, approved by California voters in 2020, does not take full effect until January 1, 2023, at which time the rules outlined below come into force. Companies may benefit from working to comply with CPRA requirements sooner rather than later, as additional time may be needed to satisfy these new rules. Many of these rules, in particular the ones that relate to automated decisionmaking, the sharing of personal data, and cybersecurity, have the potential to dramatically expand the obligations of companies that handle large volumes of consumer information.

While the Agency welcomes all comments, it is particularly interested in public comments that will assist the Agency when considering rulemaking in the following areas:

1.  Processing that Presents a Significant Risk to Consumers’ Privacy or Security: Cybersecurity Audits and Risk Assessments Performed by Businesses. The CPRA requires businesses whose data processing presents a “significant risk to consumers’ privacy or security” to perform annual cybersecurity audits and submit regular risk assessments. The Agency is seeking comment on:

  • What processing activities constitute a “significant risk to consumers’ privacy or security”;
  • The requirements of annual cybersecurity audits, including scope and processes for ensuring that audits are “thorough and independent”;
  • The risk assessment requirements, including scope, frequency, and methodology for weighing the risks and benefits of processing; and
  • Situations where the risks to consumer privacy outweigh the benefits of processing such that processing should be restricted or prohibited.

2.  Automated Decisionmaking. The CPRA gives consumers “access and opt-out rights with respect to business’ use of automated decisionmaking technology.” The Agency is requesting industry insight on the:

  • Definitions for “automated decisionmaking technology” and/or “profiling”;
  • Extent of consumer access to information about a business’ use of automated decisionmaking technology;
  • Scope of information that businesses must provide to consumers about the underlying logic involved in the automated decisionmaking process; and
  • Scope of consumer opt-out rights and corresponding business obligations with regard to automated decisionmaking.

3.  Audits Performed by the Agency. The CPRA gives the Agency the power to perform audits of businesses, and in defining that audit authority, the Agency is seeking comment on:

  • The scope of its authority to audit and the processes for exercising this authority;
  • Criteria for selecting businesses to audit; and
  • Safeguards that the Agency should adopt to protect customer information from disclosure to the auditor.

4.  Consumers’ Right to Delete, Right to Correct, and Right to Know. The CPRA added the right to request correction of inaccurate personal information. The Agency is seeking comment on what rules and procedures are needed for customers to make this new request. More specifically, the Agency is asking:

  • How often and in what scenarios customers can make this request;
  • How businesses can respond to such a request;
  • When businesses should be exempt from granting a request; and
  • What options are available to a customer if a business denies such a request?

5.  Consumers’ Right to Opt-Out of the Selling or Sharing of Their Personal Information and to Limit the Use and Disclosure of their Sensitive Personal Information. The CPRA calls for an update to the CCPA rules on the right to opt-out of the sale of personal information and limit the use and disclosure of sensitive personal information. As such, the Agency is requesting comment on the:

  • Rules and procedures needed to limit businesses’ use of sensitive personal information;
  • Technical specifications necessary to define an intent to opt-out for both adults and minors (and/or their guardians); and how businesses should process consumer rights once the intent is shown; and
  • Mechanisms for obtaining customer renewed consent after an opt-out preference was previously expressed.

6.  Consumers’ Rights to Limit the Use and Disclosure of Sensitive Personal Information. The CPRA provides consumers with rights to their “sensitive personal information,” including the right to limit the use and disclosure of such by businesses. The Agency is looking to further define the scope of “sensitive personal information,” and clarify to what extent the use or disclosure of such information is permissible, notwithstanding the consumer’s right to limit.

7.  Information to be Provided in Response to a Consumer Request to Know (Specific Pieces of Information). The CPRA requires that disclosure in response to a consumer request cover the 12-month period prior to that request. For information processed on or after January 1, 2022, businesses will need to disclose information beyond that 12-month window, unless providing that information would be “impossible” or “would involve a disproportionate effort.” The Agency is requesting comment on what standards should govern a business’s determination of impossibility or disproportionate effort.

8.  Definitions and Categories. The Agency is seeking comment on whether and how to update the definitions of various terms used in the CCPA and CPRA, including “personal information”; “sensitive personal information”; “deidentified” and/or “unique identifier”; “designated methods for submitting requests” to obtain information from a business; and others.

We are happy to discuss the Agency’s requests for public comment with our clients and friends.

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise law clerk David Wang for his contribution to this article.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Christopher S. Ford is an associate in Debevoise's Litigation Department who is a member of the firm’s Intellectual Property Litigation group and Data Strategy & Security practice. He can be reached at csford@debevoise.com.

Author

H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.