November 8, 2021

California Privacy Protection Agency
Attn: Debra Castanon
915 Capitol Mall, Suite 350A
Sacramento, CA 95814

Re: Invitation for Preliminary Comments on Proposed Rulemaking under the California Privacy Rights Act of 2020 (Proceeding No. 01-21)

Dear Ms. Castanon:

The Securities Industry and Financial Markets Association (“SIFMA”)1 welcomes the opportunity to respond to the California Privacy Protection Agency (“CPPA”) Invitation for Preliminary Comments on Proposed Rulemaking under the California Privacy Rights Act of 2020 (”CPRA”).2 SIFMA previously provided comments on the Attorney General’s rulemaking under the California Consumer Privacy Act of 2018 (“CCPA”).3 SIFMA and its members are strongly committed to the protection of consumer data, privacy, and security, and its members have operated for years under the well-established protections of the Gramm-Leach-Bliley Act. SIFMA is responding to several of your specific requests but is also providing some additional thoughts on what other areas may be ripe for additional guidance from the CPPA.

1. Audits and Risk Assessments

SIFMA members perform audits and risk assessments for many purposes – including privacy and data protection – under various federal and state mandates. SIFMA believes that any additional rulemaking or guidance provided on when a covered business meets the “significant risk to consumers’ privacy or security” standard for initiating a risk assessment should focus on factors that should be considered in making this determination, which may align with triggers for other audits or risk assessments. Further, internal audits should satisfy the requirements so long as they meet the audit industry standards, thus balancing the need to provide or obtain relevant information without placing an undue burden on businesses, especially small businesses. In further developing any guidance on audits and assessments, the CPPA should consider implementing requirements similar to the requirements adopted by the New York State Department of Financial Services (“NYDFS”) under 23 NYCRR Part 500 or Europe’s General Data Protection Act (“GDPR”) audit requirements. Many SIFMA members are currently complying with such audit and reporting requirements thus making compliance with a similar requirement in California more seamless and efficient in both jurisdictions. Further the NYDFS rules provide sufficient flexibility based on a company’s industry, size, locations, activities, etc.

SIFMA does not believe that additional rulemaking is necessary for assessing risks to consumer privacy versus benefits of businesses processing data, but additional guidance may be beneficial for further clarifying how the CPPA expects firms to make those assessments.

 

1 SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the
U.S. and global capital markets. On behalf of our members, we advocate for legislation, regulation, and business
policy affecting retail and institutional investors, equity and fixed income markets, and related products and
services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory
compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and
professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of
the Global Financial Markets Association (GFMA).
2 Invitation for Preliminary Comments on Proposed Rulemaking under the California Privacy Rights Act of 2020
(Proceeding No. 01-21) (September 22, 2021), https://cppa.ca.gov/regulations/pdf/invitation_for_comments.pdf
3 Letter from Melissa MacGregor, SIFMA to The Honorable Xavier Becerra (December 6, 2019),
https://www.sifma.org/resources/submissions/proposed-california-consumer-privacy-act-regulations-ccpa-rules/.