CDT submitted comments to the California Privacy Protection Agency, in response to an invitation for comments on the Agency’s preliminary rulemaking pursuant to the California Privacy Rights Act of 2020 (CPRA). As the Agency initiates its CPRA rulemaking process, our comments call on the Agency to ensure that businesses are accountable to consumers by requiring covered entities to:
- Provide access to information about automated or algorithmic decision-making systems,
- Establish sufficient standards for deidentification and use restrictions,
- Properly train designated staff with relevant expertise who are responsible for carrying out covered entities’ data practices, and
- Establish additional safeguards and limitations for the use of sensitive personal information beyond opt-out.
Further, our comments urge the Agency to ensure that CPRA regulations do not have unintended consequences that may interfere with governmental entities’ control over their data held by their service providers.