CPPA

As reported previously, the California Privacy Protection Agency (“CPPA”) closed the public comment period for its proposed cybersecurity audit, risk assessment and automated decision-making technology (“ADMT”) regulations (the “Proposed Regulations”) in late February. In advance of the CPPA’s April 4 meeting, the CPPA released a new draft of the Proposed Regulations, which proposed relatively minor substantive changes, but pushed back the dates for when certain obligations would become effective. The Agency’s Board met on April 4, 2025, to discuss the new proposals and comments received, as well as the potential for some very different alternatives, especially related to ADMT. Members of the CPPA Board debated the staff’s approach and ultimately sent the staff back to narrow the scope of the Proposed Regulations, clarify what was in and out of scope with more examples, and to further consider how to reduce the costs and burdens on businesses. While it is unclear exactly what staff will come back with, the alternatives discussed provide some hints on what a more constrained approach may look like.Continue Reading The Future for California’s Latest Generation of Privacy Regulations is Uncertain

As we have covered, the public comment period closed on February 19th for the California Privacy Protection Agency (CPPA) draft regulations on automated decision-making technology, risk assessments and cybersecurity audits under the California Consumer Privacy Act (the “Draft Regulations”).  One comment that has surfaced (the CPPA has yet to publish the comments), in particular, stands out — a letter penned by 14 Assembly Members and four Senators. These legislators essentially charged the CPPA for being over its skis, calling out “the Board’s incorrect interpretation that CPPA is somehow authorized to regulate AI.” Continue Reading CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Light at the End of the Tunnel – Are You Ready for the New California Privacy and Cybersecurity Rules?

Join

After what seems like forever, the most recent (and last?) public comment period for the draft California Consumer Privacy Act (CCPA) regulations finally closed on February 19, 2025. (Read Privacy World coverage here and here.) 

Following an initial public comment period on an earlier draft, the formal comment period for the current version of the proposed CPPA regulations (Proposed Regulations) began on November 22, 2024. The Proposed Regulations include amendments to the existing CCPA regulations and new regulations on automated decision-making technology, profiling, cybersecurity audits, requirements for insurance companies and data practice risk assessments. The California Privacy Protection Agency (CPPA) may either submit a final rulemaking package to the California Office of Administrative Law (OAL, which confirms statutory authority) or modify the Proposed Regulations in response to comments received during the public comment period.Continue Reading Light at the End of the Tunnel – Are You Ready for the New California Privacy and Cybersecurity Rules?

The California Privacy Protection Agency (CPPA) published a Notice of Extension of Public Comment Period and Additional Hearing Date on Friday, January 10, 2025, informing that the CPPA is extending the formal public comment period for the proposed updates to the California Consumer Privacy Act regulations regarding cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and insurance companies to ensure all Californians, including those affected by the devastating wildfires in Southern California, have the opportunity to participate. More information regarding public comments and the new deadline can be found here.Continue Reading CPPA Extends Public Comment Period from January 14, 2025, to February 19, 2025; Public Hearings for Interested Parties to be Held January 14, 2025, and February 19, 2025

On Friday, the California Privacy Protection Agency’s Board convened to tackle some critical privacy issues, including the creation of a new state-managed platform where consumers can submit opt-out requests to data brokers. In a surprising turn of events, the Executive Director, Ashkan Sultani, announced his resignation, though the reasons behind his departure were not clear from what was shared during the meeting. The Board also covered a series of major rulemaking initiatives focused on automated decision-making technologies and data brokers. This blog post highlights the key takeaways from the discussion and provides clarity on the practical consequences of these developments—read on for a deeper dive into what they mean for you.Continue Reading Navigating California’s Evolving Privacy Landscape: Key Updates from the November 8th CPPA Board Meeting on Rulemaking and What It Means for You

The staff and board of the California Privacy Protection Agency (“CPPA”) have been working for nearly two years on a new set of proposed rulemaking under the California Consumer Privacy Act, as amended by the California Privacy Rights Act  (“CCPA”).  A year ago the current CCPA regulations were finalized, but several complex issues where reserved for further consideration and some proposals were pulled back to ease initial implementation.  Their enforcement was initially enjoined and delayed by a trial court, but a California appeals court reversed that order, including any delay on the effectiveness of future regulations.  New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023.  In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk).  In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which will be subject to a further Board vote after reviewing the rule making package.  The staff was also authorized to make further edits to the draft regulations to clarify text or conform with law.  Although the motions did not set a firm date for staff to complete that work, the discussions contemplate that it would be done by the July 2024 Board meeting at the latest.  That could result in effective regulations in Q3, though given the complexity and lack of Board consensus year-end is optimistic.Continue Reading In Narrow Vote California Moves Next Generation Privacy Regs Forward

On March 8, 2024, the California Privacy Protection Agency (“CPPA” or “Agency”) Board (“Board”) will consider draft regulations that set forth how automated decisionmaking technology (“ADMT”) and profiling will be regulated under the California Consumer Privacy Act (“CCPA”).  The proposal includes the regulation of a new concept of “behavioral advertising” that is deemed “extensive profiling”

The California Privacy Protection Agency (“CPPA”) has published revised draft regulations detailing what it proposes to be required of businesses under the California Consumer Privacy Act (“CCPA”) to assess, mitigate and document risk before engaging in specified types processing of California residents’ personal information, and on March 8th is set to vote on advancing them to the public comment stage of rulemaking.Continue Reading More Detail on U.S. Data Processing Assessment Requirements

On Friday, February 9, the Court of Appeal of the State of California sided with the California Privacy Protection Agency (“CPPA” or “Agency”), finding that a California Superior Court judge erred when he issued an order staying the Agency’s enforcement of the regulations promulgated pursuant to the CPRA’s amendments to the CCPA until March 29