On February 10, 2023, the California Privacy Protection Agency (“CPPA”) issued an Invitation for Preliminary Comments on Proposed Rulemaking on cybersecurity audits, risk assessments and automated decisionmaking, topics that have not yet been addressed by the existing final draft CPRA Regulations.

Specifically, the CPPA has solicited feedback on the following topics:

• Cybersecurity audits: the impact of existing models on consumers and whether they should be used for CPRA rulemaking;

• Privacy and security risk assessments: the impact of existing models on consumers and whether they should be used for CPRA rulemaking, the processing of personal information that is likely to be harmful to individuals, and the format and frequency of risk assessments to be submitted to the CPPA; and

• Automated decisionmaking, including profiling: the impact of existing models on consumers and whether they should be used for CPRA rulemaking, business and consumer experience with automated decisionmaking technologies including algorithms, and processes for access and opt-out rights.

Comments may be submitted to the CPPA until Monday, March 27, 2023 at 5:00 p.m.