The California Privacy Protection Agency (CPPA) is holding pre-rulemaking stakeholder sessions via zoom this week Wed May 4 –6. The sessions are open to the public, and you can find full details on the CPPA website. Please read on for an overview of CPPA activities toward CPRA rulemaking.
In November 2020, California voters passed Proposition 24, the California Privacy Rights Act ("CPRA"). The CPRA established the California Privacy Protection Agency ("Agency") and vested it with the administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act (CCPA) of 2018. The Agency’s responsibilities include updating existing regulations and adopting new rules.
The CPRA directs the new Agency to engage in further rulemaking on various topics. The Agency is promulgating regulations and soliciting broad public participation to further the progress of the CPRA.
Public input is intended to assist the Agency in developing new regulations, determining whether changes to existing regulations are necessary, and achieving the law’s regulatory objectives most effectively. The Agency has not yet commenced formal rulemaking activities and won’t until after further stakeholder sessions.
The Agency solicited preliminary written comments from the public from Sept 22, 2021, through Nov 8, 2021. Written comments from that period are available on the CPPA website.
Public comments include calls for clarity of regulations, flexibility for responding to consumer requests, and ensuring there is enough time for auditors and businesses to prepare before the law goes into full effect. Another popular demand is for the agency to, as much as possible, align the CPRA with other existing and emerging privacy laws from other states, territories, and countries. Other hot topics are the debate over what constitutes protected data and the formal definition of de-identified and pseudonymous data. Several organizations commented that employee data should not apply to CPRA.
There are also many comments about the scope and definition of the “automated decision-making technology.” For example, “Automated decisionmaking technology is not a universally defined term and could encompass a wide range of technology that has been broadly used for many decades, including spreadsheets and nearly all forms of software.” – California Grocers Association
The Agency held informational sessions on Tuesday, March 29, 2022, and Wednesday, March 30, 2022, to inform the Agency Board, Agency staff, and the public on topics relevant to the upcoming rulemaking. The agenda, materials, and recordings of the informational sessions are available on the CPPA website.
The May 4-6 stakeholder sessions provide an opportunity for stakeholders to speak on topics relevant to the upcoming rulemaking process. Signups for the Stakeholder Sessions closed on April 22, 2022. However, the public may listen to the sessions and participate without prior request during the general public comment period.
While the CPRA timeline specifics are in flux, the overall compliance requirements remain. Experts advise organizations to prepare ahead of time for a smooth transition and minimal disruption.
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. In addition, we can help build a solid central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations to which businesses may be subjected.
Ready to move forward? Contact Truvantis for more information and to start your pre-audit consultation.
Truvantis is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations, and products. We specialize in helping our customers improve their cybersecurity posture by implementing testing, auditing, and operating information security programs.