The Bank Policy Institute appreciates the opportunity to submit preliminary comments to the
California Privacy Protection Agency on the proposed rulemaking on cybersecurity audits, risk
assessments, and automated decision making under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
I. Executive Summary
BPI’s members are financial institutions that have invested significant time and resources into
building data protection and information security compliance systems that align with federal and state financial privacy, consumer protection, and other financial services laws. BPI members are committed to promoting robust privacy protections for California consumers. Drawing on the experience of its members operationalizing privacy and security safeguards for their customers, BPI has provided comments on each of the three areas that will be addressed in the forthcoming rulemaking: cyber audits, risk assessments, and automated decisionmaking. In particular, BPI urges the Agency to consider:
 The Bank Policy Institute is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost two million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.
 Cal. Civ. Code § 1798.100 et seq.
 While BPI has provided its responses in a narrative form, it has listed the relevant questions addressed in its comments at the start of each section below.