Skip to main content

California’s New Privacy Regulator Invites You to Comment

As you may recall, the California Privacy Rights Act (“CPRA”) established a new state privacy regulatory agency, the California Privacy Protection Agency Board (“CPPA Board”), and the CPRA vests certain rulemaking authority (along with enforcement authority) to the CPAA Board.  The CPPA Board has issued an invitation for preliminary comments from the public related to a wide swath of areas over which the CPPA Board has rulemaking authority.   According to the invitation, comments may be used in developing new regulations under the CPRA, and determining whether changes to the existing regulations are needed to implement the CPRA.

Key topics for public comment include:

  • processing that presents a significant risk to consumers' privacy or security: cybersecurity audits and risk assessments performed by businesses;
  • matters of automated decision-making;
  • audits performed by the CPPA Board;
  • matters relating to consumers' rights, namely: 
    • consumers' right to delete, correct, and know their data;
    • consumers' rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information;
    • consumers' rights to limit the use and disclosure of sensitive personal information;
  • information to be provided in response to a consumer request to know; and
  • definitions and categories of information and activities.

Comments can be submitted by email to [email protected], or by mail to the CPPA, and must be submitted by November 8, 2021

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.