Privacy & Cybersecurity Update – September 2021 | Skadden, Arps, Slate, Meagher & Flom LLPOctober 4, 2021
In this month’s edition of our Privacy & Cybersecurity Update, we examine the California Privacy Protection Agency’s public comment period for the California Privacy Rights Act, the U.K. government’s public consultation period regarding reform of its GDPR and federal court decisions involving the Fourth Amendment and discovery in a hacking lawsuit.
California Privacy Protection Agency Seeks Public Comments on Proposed California Privacy Rights Act Rulemaking
The California Privacy Protection Agency (CalPPA) issued an invitation for preliminary written comments from the public under the California Privacy Rights Act of 2020 (CPRA); comments are due November 8, 2021.
On September 23, 2021, CalPPA issued an invitation for preliminary public comments on proposed rulemaking under the CPRA. Under Section 1798.185 of the California Consumer Privacy Act (CCPA), as amended by the CPRA, CalPPA is directed to encourage public participation and develop new regulations to carry out the goals of the CCPA and the CPRA.
Comments are due Monday, November 8, 2021, though CalPPA also is planning to hold informational hearings to obtain further public input, though such hearings have yet to be scheduled.
On November 3, 2020, California voters passed the CPRA, which amended and extended the CCPA of 2018 in certain ways. These amendments included increasing the rights of California residents over personal information, creating new obligations for businesses with respect to the processing and sharing of personal information, and providing additional oversight and record-keeping requirements on businesses whose processing of personal information presents significant risks to consumers’ privacy.
The CPRA took effect on December 16, 2020, but most of the provisions won’t become enforceable until January 1, 2023. One of the key changes that took effect in 2020 was the establishment and funding of a new state agency, CalPPA, to implement and enforce the CCPA. Under the CPRA, the rulemaking authority previously held by the California Office of the Attorney General transferred to CalPPA, with the new agency’s responsibilities including updating existing regulations and adopting new regulations to implement the amendments called for by the CPRA. CalPPA is required to finalize these new regulations by July 1, 2022.
Key Topics for Public Comments
CalPPA is “particularly interested in comments on new and undecided issues not already covered by the existing CCPA regulations.” Relatedly, it is primarily seeking comments related to those changes under the CPRA that become enforceable on January 1, 2023, including regarding the following topics:
- Cybersecurity audits and risk assessments performed by businesses. The CPRA calls for businesses that process personal information that presents a significant risk to consumers’ privacy and security to conduct annual audits and regular risk assessments. CalPPA invites comments on the procedural…