Consumer Reports submitted feedback to the California Privacy Protection Agency (CPPA) in response to its Invitation for Preliminary Comments on Proposed Rulemaking on Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. As part of its statutory authority under the California Privacy Rights Act, CPPA may issue regulations on a number of issue areas not otherwise detailed in the law. CPPA previously issued broader regulations to update the regulations that governed the California Consumer Privacy Act (CCPA), which the CPRA succeeded on January 1 of 2023.
Consumer Reports advocated that CPPA emphasize enforcement of cybersecurity audits and risk assessments to ensure their utility as accountability mechanisms. CR also urged CPPA to consider how it can proffer meaningful opt out and explainability rights relative to automated decisionmaking systems that produce legal or similarly significant effects.
To learn more, please read the attached comments.