CPPA Issues Invitation for Preliminary Comments on Cybersecurity Audits, Risk Assessments, and Automated Decision making

Today, the California Privacy Protection Agency (CPPA) issued an Invitation for Preliminary Comments on Proposed Rulemaking on the following topics: Cybersecurity Audits, Risk Assessments, and Automated Decision making. The invitation follows the CPPA Board’s vote on February 3, 2023 to invite pre-rulemaking comments from the public on these topics.

In November of 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The CPRA added new privacy protections to the California Consumer Privacy Act (CCPA), and established a new agency, the CPPA, to implement and enforce the law.

The CPRA amendments to the CCPA direct the Agency to issue regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to (1) perform a cybersecurity audit on an annual basis; and (2) submit to the CPPA on a regular basis a risk assessment with respect to their processing of personal information. In addition, the CPRA amendments direct the Agency to issue regulations governing access and opt-out rights with respect to businesses’ use of automated decision making technology.

The Agency invites interested parties to submit pre-rulemaking comments on Cybersecurity Audits, Risk Assessments, and Automated Decision making by 5:00 p.m. PT on Monday, March 27, 2023.

More information, including a copy of the invitation is available here.

Contact: press@cppa.ca.gov