Thought Leadership

The California Privacy Protection Agency-Proposed Rulemaking

Client Updates

The California Privacy Protection Agency has circulated proposed rulemaking for public comment-comments due by Monday, November 8, 2021.

The passage of the California Privacy Rights Act of 2020 (“CPRA”) established the California Privacy Protection Agency (“CPPA” or “Agency”) and provided it with administrative authority to regulate and enforce both the CPRA and the California Consumer Privacy Act (“CCPA”).

On September 22, 2021, in one of its first significant acts since its membership appointments, the CPPA circulated proposed rulemaking for public comment,1 addressing a number of topics and questions that the Agency hopes to use in formulating future regulations.

The following is a summary of these topics, which provides insight into how these issues may reveal the Agency’s future rulemaking.

What topics are submitted?

The invitation outlines eight topics (and various sub-topics) for comment, covering a myriad of possible areas of further investigation:

  1. Processing that Presents a Significant Risk to Consumers’ Privacy or Security
    Here, the CPPA seeks comments related to the various risks associated with data processing activities. Within this topic, the Agency is focused on: (1) the risks inherent in processing with a business’s “legitimate” interests (i.e., the risks that processing poses to consumers on balance with the benefits that businesses provide to consumers throughout that processing) and (2) the scope of security audits, suggesting that audits should not place too onerous a burden on companies, especially where businesses process minimal personal information.
  2. Automated Decision-making
    The CPRA allows consumers to opt-out of the use of automated decision-making technology. However, the CPRA itself is relatively silent about the details of this technology. As a result, the Agency’s invitation requests comments regarding the scope of “automated decision-making.” In addition, the Agency also requests clarification on a business’s obligations with respect to a consumer’s opt-out or access requests, such as what information the business must disclose, the procedures the business should follow when responding to a request, and what information consumers may access regarding such processing.
  3. Audits Performed by the Agency
    While the CPPA is given rather broad administrative powers with respect to their enforcement authority, this topic specifically seeks input on the scope of the Agency’s “audit” authority. The audit process itself has the potential to impinge on a business’s propriety information and processes and poses a risk that personal information (and possibly even sensitive personal information) may be exposed to a third-party, namely, the CPPA.
  4. Consumers’ Right to Delete, Right to Correct, and Right to Know
    The CCPA originally granted the Right to Know and Right to Delete, with the CPRA adding to the Right to Correct. However, the outer limits of these rights require balancing, which the Agency seeks to define further with these comments by recognizing that consumers cannot abuse these rights by submitting fraudulent, unnecessary, or voluminous requests.
  5. Consumers’ Right to Opt-out of Sale/Sharing of Personal Information
    In addition to the sale of personal information, the CPRA limits a business’s sharing of certain information. This topic is directed to the procedural application of those rights, including how a business should respond to such requests, the technical implementation of these opt-out rights, and how businesses can allow consumers to opt-in after previously exercising an opt-out right.
  6. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information
    The CPRA adds a new category of personal information, sensitive personal information, along with certain corresponding rights for consumers. This topic seeks to define the scope of that right by determining when information is deemed “collected” outside of the restricted confines of the law, as well as the degree to which a business can continue to process information after a consumer limits such processing.
  7. Information to be provide in Response to a Consumer Request to Know
    This topic seemingly centers on the regulation of unduly burdensome or voluminous consumer requests. In particular, the Agency seeks to determine when a business can deny a consumer request for information that has been processed beyond the 12-month period for retention required under the CPRA based on the exceptions for impossibility or disproportionate effort.
  8. Definitions and Categories
    Beyond the specific topics covered above, the invitation also requests updates to many of the categories of information (such as personal information or sensitive personal information) and definitions that the Agency can modify through its regulatory authority. Through this, the Agency can conceivably expand, or even restrict, the full scope of the CPRA.

What these topics may mean for future enforcement?

The CPPA is seeking comment on a variety of topics from both businesses and consumers, including comments not covered within the invitation itself. We are already able to identify at least two major issues that are top of mind for the Agency:

  • First, the Agency appears focused on the balancing of consumer rights with legitimate business interests (i.e., businesses that provide legitimate, helpful services to the community). At the same time though, the Agency recognizes the legitimate risks that processing of personal information can pose to consumers, as well as the rights that consumers are entitled to under both the CCPA and CPRA.
  • Second, the CPPA appears cognizant of the potential for abuse of consumer rights (and the effect such abuse on businesses). Consumers have the potential to submit myriad requests for copious amounts of information and businesses have limited recourse to refuse these requests. As such, businesses face the prospect of having to comply with an inordinate amounts of requests, sorting through the information they collect, store, and process, correcting (or verifying) information they hold, and changing the very basis of their own business models (as consumers request their data not be processed or shared).

Of course, these topics are still in the preliminary stages and ultimately both public comments and the Agency’s response will provide more direction for future rulemaking. Yet the framing of these topics provides insight into some of the concepts that the CPPA is considering and possible directions of development.

We will monitor the Agency as it continues its rulemaking process so that we can provide our clients with the most up-to-date information available and help them comply with these evolving legal obligations.


1Full text of the Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020, visit the CPPA’s website at


Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit

Related Professionals