California Privacy Protection Agency Invites Public Comments on Proposed Rulemaking

Published: Oct. 07, 2021

Updated: Sep. 21, 2023

The California Privacy Protection Agency (the “Agency”), a newly formed agency charged with enforcing California’s robust privacy laws, has invited public comments on its proposed rulemaking on California privacy regulations. This is an excellent opportunity to encourage the Agency to promulgate regulations that are clear, reasonable, and workable. Comments must be filed by November 8, 2021.


The California Privacy Protection Agency was established as part of the California Privacy Rights Act (CPRA), a ballot initiative that California voters approved in November 2020. The newly-formed agency is empowered to implement and enforce the California Consumer Privacy Act (CCPA), which was amended and expanded by the CPRA. The Agency must now promulgate rules on a wide range of topics that will affect how businesses collect and store data, and it has invited stakeholders to submit comments to help shape the forthcoming rules.

Ashkan Soltani, former Chief Technologist for the Federal Trade Commission, was recently announced as the Agency’s executive director. Soltani is a smart, talented privacy advocate and will be a formidable regulator. 

Topics for Proposed Comments

Some of the topics the Agency has requested comments on include: 

  • Mandatory Risk Assessments: The CPRA requires businesses that process consumers’ personal information in a manner that “presents significant risk to consumers’ privacy or security” to conduct annual security audits and submit regular risk assessments regarding how they process personal information. The Agency seeks comment on when this requirement should be triggered, specifications for the required audits, frequency of evaluations, and conditions under which processing should be prohibited in light of the risk assessment results. 
  • Automated Decision-making: The Agency seeks comment on what information should be provided in response to access requests related to the use of automated decision-making technology, and whether consumers should be able to opt out of having their personal information processed using such technology. 
  • Right to Correct: The Agency seeks comment on when a consumer should be allowed to exercise the right to correct, how businesses should protect against fraudulent requests, and exemptions where correction is “impossible” or “involves disproportionate effort.” 
  • Right to Limit Use of Sensitive Information: The Agency will make rules about consumers’ rights to limit the way their “sensitive personal information” is used and disclosed. This new category includes things like social security numbers, information that allows access to a financial account, precise geolocation information, information about race, ethnicity, sexual orientation, religious or philosophical beliefs, and genetic data. When this information is collected or processed “without the purpose of inferring characteristics about a consumer,” it is not subject to the right to limit use and disclosure. The Agency seeks comment on when this exemption is triggered, and what other exemptions there should be to this right.
  • Responses to Consumer Requests:The Agency seeks comment on how to interpret the exemption allowing businesses to refrain from providing information beyond a 12-month period in response to an access request where providing such information would be “impossible” or involve a “disproportionate effort.”

The Agency also welcomes comments on other topics related to its proposed rulemaking. Consider submitting comments about topics such as: 

  • Whether the CPRA’s new enhanced requirements for how consumers may opt-out of the sale of their personal information should preempt existing guidance from the California Attorney General that requires businesses to treat the Global Privacy Control (GPC) as an opt-out request.
  • Ways to streamline CPRA-required links to reduce “clutter” in a website’s footer (e.g., by allowing a single California Privacy link that directs to all CPRA-required notices).
  • Whether information is “lawfully made available from federal, state, or local government records” and thus excluded from the definition of “personal information” if it is provided to certain business entities but is not available to the general public. 

How to Submit Comments

You can submit comments to the Agency electronically or by mail. 

  • Mail: Send your comments to the following address: 

California Privacy Protection Agency
Attn: Debra Castanon
915 Capitol Mall, Suite 350A
Sacramento, CA 95814

The Agency has a list of tips for submitting effective comments.