The California Privacy Protection Agency recently published public comments received in response to its preliminary rulemaking activities for the California Privacy Rights Act (CPRA). The comments were originally solicited in September and due by November 8. The public feedback totals nearly 900 pages. It includes comments from various companies, industry associations, and other interested parties.

The Agency intends to have additional informational hearings to gather more feedback. Its October meeting minutes suggest that the hearings may address topics such as how the procedures for exercising rights is operating, and the “opt out preference signal” or “global privacy control.” Formal rulemaking activities will begin at the conclusion of the agency’s fact gathering. There is no set timetable. That said, the rule-making authority is tied to 6 months after the agency provides notice to the Attorney General (discussed here).

We anticipate that the Agency will not only update existing CCPA rules, but issue new ones. This includes potentially addressing at least 15 topics not originally identified in the CCPA. For example, the access and opt-out rights for processing using automated decision making. This also includes the annual “cybersecurity audit.”

Putting it into Practice: As companies begin to plan and prepare budgets and resources for 2022, keeping an eye on developments and the procedural process for the CPRA regulations will be important. As we approach the new year, companies are also reminded that information collected in 2022 will be subject to CPRA’s 12-month look back period.