US

The rulemaking process on California’s Proposed “Regulations on CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology, and Insurance Companies” (2025 CCPA Regulations) has been ongoing since November 2024.  With the one-year statutory period to complete the rulemaking or be forced to start anew on the horizon, the California Privacy Protection Agency (CPPA) voted unanimously to move a revised set of draft regulations forward to public comment on May 1, which began May 9 and closes at 5 pm Pacific June 2, 2025.  The revisions cut back on the regulation of Automated Decision-making Technology (ADMT), eliminate the regulation of AI, address potential Constitutional deficiencies with regard to risk assessment requirements and somewhat ease cybersecurity audit obligations.  This substantially revised draft is projected by the CPPA to save California businesses approximately 2.25 billion dollars in the first year of implementation, a 64% savings from the projected cost of the prior draft.Continue Reading Revised Draft California Privacy Regulations Lessen Impact on Business

As we have covered, the public comment period closed on February 19th for the California Privacy Protection Agency (CPPA) draft regulations on automated decision-making technology, risk assessments and cybersecurity audits under the California Consumer Privacy Act (the “Draft Regulations”).  One comment that has surfaced (the CPPA has yet to publish the comments), in particular, stands out — a letter penned by 14 Assembly Members and four Senators. These legislators essentially charged the CPPA for being over its skis, calling out “the Board’s incorrect interpretation that CPPA is somehow authorized to regulate AI.” Continue Reading CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority

As we have previously detailed here, the latest generation of regulations under the California Consumer Privacy Act (CCPA), drafted by the California Privacy Protection Agency (CPPA), have advanced beyond public comments are closer to becoming final. These include regulations on automated decision-making technology (ADMT), data processing evaluation and risk assessment requirements and cybersecurity audits. Recently, Privacy World’s Alan Friel spoke at the California Lawyer’s Association’s Annual Privacy Summit at UCLA in Westwood, California (Go Bruins!) on the evaluation and assessment proposals. Separately, Privacy World’s Lydia de la Torre, a CPPA Board Member until recently, spoke on artificial intelligence laws and litigation. A transcript of Alan’s presentation follows:Continue Reading Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations

After what seems like forever, the most recent (and last?) public comment period for the draft California Consumer Privacy Act (CCPA) regulations finally closed on February 19, 2025. (Read Privacy World coverage here and here.) 

Following an initial public comment period on an earlier draft, the formal comment period for the current version of the proposed CPPA regulations (Proposed Regulations) began on November 22, 2024. The Proposed Regulations include amendments to the existing CCPA regulations and new regulations on automated decision-making technology, profiling, cybersecurity audits, requirements for insurance companies and data practice risk assessments. The California Privacy Protection Agency (CPPA) may either submit a final rulemaking package to the California Office of Administrative Law (OAL, which confirms statutory authority) or modify the Proposed Regulations in response to comments received during the public comment period.Continue Reading Light at the End of the Tunnel – Are You Ready for the New California Privacy and Cybersecurity Rules?

Since the Trump 2.0 administration commenced, the U.S. federal government has experienced some major policy shifts. Several Biden-Harris administration era regulations are now eliminated or on a 60-day hold while under review. States and other organizations have filed lawsuits to stay implementation of certain Trump 2.0 initiatives (i.e., the funding freezes, deferred resignation offer, and birthright citizenship, among others).Continue Reading A New Era: Trump 2.0 Highlights for Privacy and AI

On January 23, 2025, President Trump issued a new Executive Order (EO) titled “Removing Barriers to American Leadership in Artificial Intelligence” (Trump EO). This EO replaces President Biden’s Executive Order 14110 of October 30, 2023, titled “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (Biden EO), which was rescinded on January 20, 2025, by Executive Order 14148.

The Trump EO signals a significant shift away from the Biden administration’s emphasis on oversight, risk mitigation and equity toward a framework centered on deregulation and the promotion of AI innovation as a means of maintaining US global dominance.Continue Reading Key Insights on President Trump’s New AI Executive Order and Policy & Regulatory Implications

The Biden Administration has announced the rollout of the “cybersecurity label for interconnected devices, known as the U.S. Cyber Trust Mark.” The voluntary program, which will allow providers of certain such devices to label their products with the Mark, comes after the Federal Communications Commission (FCC) approved final rules and implementing framework that will