Search results for: California Privacy Protection Agency

On Friday, February 9, the Court of Appeal of the State of California sided with the California Privacy Protection Agency (“CPPA” or “Agency”), finding that a California Superior Court judge erred when he issued an order staying the Agency’s enforcement of the regulations promulgated pursuant to the CPRA’s amendments to the CCPA until March 29, 2024. As a result of the Court of Appeal’s order, the previously delayed regulations go into effect as of Friday, February 9, and any future regulations promulgated by the Agency – including the forthcoming regulations on cybersecurity and risk assessments, and automated decision-making technology – will not be subject to a future delay.

The order was announced as the second annual California Lawyers Association Privacy Summit in Los Angeles was wrapping up on Friday afternoon. A number of California regulators were in attendance at the event, including CPPA Executive Director Ashkan Soltani, Deputy Director of Enforcement Michael Macko, and Stacy Schesser, Supervising Deputy Attorney General for the Privacy Unit in the Consumer Protection Section.

Executive Director Soltani provided remarks while Deputy AG Schesser and Deputy Director Macko spoke on a panel together. Among the enforcement priorities announced by the regulators, including a focus beyond front-end, public-facing compliance, perhaps the punchiest statement from the Summit came from Deputy AG Schesser during a Thursday morning session: “We are plotting.”

Stay tuned for more on this from Privacy World in the coming days, and buckle up!

On November 3, 2022, the CCPA officially released the CPRA Modified Regulations (Modified Regs) for the expected 15-day comment period. The public comment period will end on November 21, 2022, and interested parties may submit written comments about the Modified Regs until 8AM Pacific Time on that date. This update came following a two-day meeting of the CPPA Board on October 28th and 29th, discussed here.

Following this comment period, the Modified Regs will have to be formally approved and sent to the Office of Administrative Law (OAL), which will also review and approve or reject the regulations. Once approved by the OAL, the regulations will become final.

For more information on the impact of the Modified Regs or the comment period, contact the authors or your relationship partner at the firm. CPW will continue to cover the CPRA rulemaking process and other state privacy law developments, as well as federal legislative and regulatory efforts.

At a two-day meeting that took place on October 28th and 29th, the CPPA considered the CPRA Modified Regulations (Modified Regs) that were published on October 17th of this year. We analyze the initial proposed CPRA regulations here.

On the proposed changes of the Modified Regs, the CPPA Board (the Board) considered clarifying amendments while maintaining the initial intent of the (i.e., no further substantive changes). There are three amendments of particular importance that were discussed: Continue Reading The California Privacy Protection Agency (CPPA) Decides on a Roadmap for Revised California Privacy Rights Act (CPRA) Regulations

On Friday, September 23, the California Privacy Protection Agency (CCPA) held a Board meeting about various CPPA administrative activities. Continue Reading Update on the California Privacy Protection Agency: Still No Date Certain for the CPRA Regulations

The California Privacy Rights Act (“CPRA”) places significant power in the hands of the California Privacy Protection Agency (“CPPA” or “Agency”) to influence the future of privacy regulation in the United States, including—perhaps most importantly—the authority to issue regulations in twenty-two specific, enumerated areas to achieve the broad objective of “further[ing] the purposes of” the CPRA.

As to automated decision-making and profiling, the CPRA has granted the Agency the equivalent of a regulatory blank check. In this regard, the CPRA references profiling or automated decision-making a total of two times throughout the voluminous text of the statute: first, in defining the term “profiling,” and second, in the law’s broad rulemaking mandate:

Issuing regulations governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.

For this reason, the CPPA has focused a significant amount of its preliminary rulemaking activities on automated decision-making and profiling. This focus began in the fall of 2021 when profiling and automated decision-making were included as part of nine topics on which the Agency sought public comment. In late March, the CPPA hosted informational sessions—during which time the Agency discussed automated decision-making for the majority of an entire day, including cross-jurisdictional approaches to automated decision-making and profiling under the EU’s General Data Protection Regulation.

Just last week, the CPPA held stakeholders sessions (Agenda here) over the course of three days, during which it set aside three hours in the first half of the first day for stakeholders to comment on automated decision-making. Importantly, these comments—provided by a range of stakeholders—offer key insights into some of the more complex, challenging issues that businesses will face when adapting their privacy programs to comply with the new rules and restrictions that will be placed on automated decision-making under the CPRA beginning at the start of 2023.

The comments and positions of the individuals that spoke on the topic of automated decision-making varied widely. However, there were several common, key themes reiterated throughout the session that shine a light on concerns shared by various stakeholders, as well as the tug of war between their (and others’) competing interests. The stakeholder comments also highlighted the complexity of striking a balance between regulating automated decision-making technology and profiling in a privacy-protective manner while at the same time avoiding overly restrictive regulations that would hamper innovation. Many of the comments made fell under the following themes:

  • The Type of Automated Decision-Making Activities That Should Be Regulated: Many speakers highlighted the potentially significant, unintended ramifications of an overly broad scope for the term “automated decision-making technology,” which would result in producing little benefit to consumers while at the same time greatly hampering the operations of businesses across all sectors. For that reason, many speakers emphasized the need to limit the reach of automated decision-making regulation to: (1) fully automated decision-making technology; and (2) technology that produces legal or similarly significant effects, such as those bearing on a consumer’s employment or credit; and/or (3) high risk activities, sensitive data, and/or automated decision-making that constitutes profiling. In addition, several other speakers noted the need for a requirement that the term encompasses only those activities that involve the processing of personal information (which would seem to be inherent in the CPRA regardless).
  • Consumer Rights Relating to the Use of Automated Decision-Making Technology: Speakers also frequently highlighted the need for balance as it relates to consumers’ access rights regarding automated decision-making technology. On the one hand, as many speakers suggested, the CPRA should not impose requirements on businesses to disclose information to consumers on low-risk automated decision-making technology, such as spell check or spreadsheets. On the other, the CPPA was cautioned to avoid crafting regulations that afforded access rights that would require businesses to provide detailed descriptions of complex algorithms involved in automated decision-making, as doing so would fail to provide average consumers with “meaningful” information regarding the information and logic underlying automated processing. At the same time, the required disclosure of algorithms and similar sensitive business information would also likely conflict with the right of businesses to protect their trade secrets and similar types of information.
  • Consumer Opt-Out Rights Relating to Automated Decision-Making: Many speakers shared the common concern that the significant benefits offered by automated decision-making technology to consumers and businesses alike could be severely hampered by granting consumers overbroad opt-out rights as it relates to activities that fall under the definition of automated decision-making. At a minimum, several speakers suggested, regulations relating to automated decision-making should be tethered to the CPRA’s statutory rights of access and opt-outs.
  • Alignment with the GDPR and other Regulatory Schemes: Many stakeholders, including a representative of the Future of Privacy Forum, urged that the regulations should align with GDPR Article 22. Others pointed to the EU’s pending Digital Services Act, as well as the Artificial Intelligence Act, for other schemes with which the CPRA’s regulations should be consistent.

Conclusion

Following the CPPA’s May stakeholder sessions, the CPPA will begin the formal rulemaking process, but final Regulations are not anticipated to be issued until sometime in early 2023. Companies should monitor for developments in the area of CPPA rulemaking to ensure they are aware of any anticipated changes in the law, which will go into effect at the start of 2023. In addition, companies should immediately begin adapting their privacy programs for compliance not only with the CPRA but also with the Colorado, Connecticut, Virginia, and Utah laws that will also come online over the course of 2023 as well.

For more information on the stakeholder sessions, including other topics discussed, you can visit the CPPA’s events page here.

Check back often for more of SPB’s and CPW’s thought leadership on the CPRA and the other 2023 state privacy laws, as well as on AI and automated decision-making. For a further discussion of the CPPA’s approach to rulemaking on automated decision-making and profiling, you can view a recording of our recent webinar 2022 Developments and Trends Concerning Biometric Privacy and Artificial Intelligence. In addition, SPB Partners Kyle Fath and Kristin Bryan will take a deeper dive into this and related topics in our June 2 webinar hosted by the International Association of Privacy Professionals (IAPP). Registration for the IAPP webinar is available here (free for IAPP members).

Readers of CPW know that our very own Lydia de la Torre has been selected to be an inaugural board member of the new California Privacy Protection Agency.   Listen to what Lydia and Alan Friel, Deputy Chair of SPB’s Data Privacy group have to say in a must-listen to podcast.  They discuss the history of privacy policy, the growing influence of European privacy principles, and the new privacy laws we are seeing, or can expect, at the state and federal levels here in the United States.  Absolutely essential stuff for anyone working in an industry impacted by this growing body of law.  Listen to it at Tech Freedom here.

And for more on all developments data privacy related, stay tuned.  CPW will keep you in the loop.

We congratulate our friend and colleague Lydia de la Torre on her appointment to the inaugural board for the California Privacy Protection Agency.  “Californians deserve to have their data protected and the individuals appointed today will bring their expertise in technology, privacy and consumer rights to advance that goal,” said Governor Newsom. “These appointees [including Lydia] represent a new day in online consumer protection and business accountability.”

In 2018, California became the first state in the U.S. to equip consumers with new privacy tools and new privacy rights under the California Consumer Privacy Act. On November 3, 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which created the California Privacy Protection Agency. Enforcement of the CPRA will begin in 2023.  The California Privacy Protection Agency will have full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act and the California Privacy Rights Act. The board of the CPPA will appoint the agency’s executive director, officers, counsel and employees. The agency may bring enforcement actions related to the CCPA or CPRA before an administrative law judge. The Attorney General will retain civil enforcement authority over the CCPA and the CPRA.

“The California Privacy Protection Agency marks a historic new chapter in data privacy by establishing the first agency in the country dedicated to protecting forty million Californians’ fundamental privacy rights,” said Attorney General Becerra. “The CPPA Board will help California residents understand and control their data privacy while holding online businesses accountable.”

“The chance to serve on the Board of the new California Privacy Protection Agency is a great opportunity for Lydia, and one for which she is exceptionally well suited given her diverse background and talents.  She has uniquely balanced an academic and private practice career, and public service is a natural next step for her” said Alan Friel, Deputy Chair of Squire Patton Boggs’ Global Data Privacy & Cybersecurity Practice.  “We could not be happier for her and commend Senator Atkins on the selection of such a qualified individual.  While we are sorry to see Lydia go, her selection continues a long tradition of public service by our attorneys, which our firm fully embraces.”

As readers of CPW already know, in a development that will bring dramatic changes to the California data privacy realm, on November 3, 2020, a majority of Californians voted to approve a new ballot initiative – Proposition 24, or the “California Privacy Rights Act of 2020” (“CPRA”).  You can read the fantastic analysis prepared by CPW’s Lydia de la Torre, Glenn A. Brown, Elliot Golding and Ann J. LaFrance here.

Well folks, one of the main changes brought about by the California Privacy Rights Act is the establishment of the California Privacy Protection Agency (“CPPA”) as an “independent watchdog” whose mission is both to “vigorously enforce” the CPRA and “ensure that businesses and consumers are well‐informed about their rights and obligations.”  Following up on that initial piece, Lydia de la Torre and Glenn A. Brown prepared an incredible, must read analysis as to how, with passage of the CPRA, “the CPPA is set to become a key privacy regulator not only in California, but across the U.S. and the globe”.  Check it out here.

 

The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.

Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026

The California Consumer Privacy Act (CCPA) requires that privacy notices be updated annually, and that the detailed disclosures it proscribes be in those notices reflect the 12-month period prior to the effective (posting) date. Interestingly, failure to make annual updates was one of several alleged CCPA violations that resulted in a recent $1.35 Million administrative civil penalty by the California Privacy Protection Agency (CPPA) against retailer Tractor Supply Company. Also, three more state consumer protection laws go into effect on January 1, 2026, which will require notice and consumer rights intake changes, if applicable. Additionally, new and amended CCPA regulations will bring new obligations for businesses starting the first of the year that need to be addressed between now and then. Also recommended is a general checkup with particular attention to enforcement priorities. Here are some things to do in preparation for 2026:

  • Assess which of the 20 state consumer privacy laws (CPLs) apply to your business, and update notices and rights request processes to identify which apply and address material differences in what each requires.
  • Consider new or modified data practices initiated in 2025, or under consideration to be introduced in 2026, complete risk assessments on them, and update the privacy notice to reflect at least the preceding 12-month period.
  • Implement a data processing risk assessment program, or revise the current process to reflect the new CCPA requirements, effective January 1.
  • Confirm you have contracts in place containing data protection terms required by CCPA and other CPLs with parties that receive (or access) your personal data – an ongoing California enforcement priority. Have these organized by service provider / processor or third party and be prepared to produce them upon regulatory inquiry.
  • Employers, especially in California, need to address use of automated decision-making tools. This will become an even more complex and time urgent matter for California employers if Governor Newsome does not veto SB-7 (the “No Robo-Bosses” Act), which would become effective January 1 and add even further requirements and restrictions on technology-assisted HR decision-making. (Note: An inadequate privacy notice and rights request process for personnel was another basis for the Tractor Supply penalty.)
  • Review your tracking technologies and cookie banner(s) and preference tool(s) to support a defense to wiretapping (e.g., CIPA) claims and comply with CPL notice and opt-out requirements, including browser privacy control signals, as explained here.
  • If you process personal data of minors, consumer health data, precise location data, biometric data, or other sensitive personal data, consider the legal requirements and limitations that have been evolving in recent years and the growing application of consumer protection law principles to limit unexpected uses.
  • Revisit and update your information governance roadmap or project plan and seek budget for 2026 initiatives. This should include:
  • Consider Privacy Powered by SPB forms, templates, and guidance materials to help support your program and conduct a stakeholder survey to assess actual practices and knowledge of policies and procedures.

Many companies go on website code lock in mid-November, and Q4 is a hectic time between year-end financial closings and the holidays, so give yourself enough time to get revisions to notices, policies, and tools updated and published. Update your information governance roadmap for 2026 to reflect new laws, regulations, and enforcement trends and be sure your budget for next year reflects these needs.

For more information, contact the author or your Squire Patton Boggs relationship partner.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.