Topic

  • Government Relations
  • Privacy Law

After much anticipation, at a November 8 meeting, the California Privacy Protection Agency (CPPA) Board voted to advance proposed regulations that seek to (1) update existing CCPA regulations; (2) implement requirements for certain businesses to conduct risk assessments and complete annual cybersecurity audits; (3) implement consumers’ rights to access and opt-out of businesses’ use of automated decision making technology (ADMT); and (4) clarify when insurance companies must comply with the California Consumer Privacy Act (CCPA). The agency has grappled with these topics for more than two years, including soliciting formal comments in a February 2023 invitation for preliminary comments and conducting other stakeholder outreach. While in theory the new regulations are smaller in scope, some of the changes to the existing CCPA regulations do have an impact on businesses. Businesses should expect a fairly long process before the proposed regulations are finalized and effective.

At the meeting, the proposed Data Delete Act Regulations were unanimously approved for finalization to proceed to the Office of Administrative Law (OAL), the state agency overseeing California’s rulemaking process. Once the OAL approves the regulations, they will become effective as is. The Delete Act requires data brokers to register with the state of California and the CPPA to establish a universal data deletion mechanism. The Delete Act imposes fines of $200 per day for each day the data broker has failed to register, plus any expenses incurred by the agency in the investigation, and $200 for each deletion request for each day the data broker failed to delete personal information as required by the Delete Act. Companies are required to register every year on or before January 31 if they have acted as a data broker in the prior year. The CPPA is currently developing the Data Broker Requests and Opt-Out Platform (DROP), a universal deletion mechanism that will allow consumers to submit a single request that would direct all registered data brokers to delete their personal information and require continuous deletion every 45 days; it is expected to be released by January 1, 2026.

With the adoption of the new regulations, the agency appears to be signaling an aggressive enforcement posture for the foreseeable future, despite the resignation of its executive director, Ashkan Soltani, which also was announced at the board meeting. Given the outgoing director’s profound impact on the CPPA’s trajectory since its 2018 inception, the selection of the successor carries substantial weight. This new leader will inherit considerable authority in shaping the enforcement landscape, impacting the rigor, focus, and adaptability of California’s privacy protections. Agencies should closely monitor this transition, as it holds significant implications for the future of privacy in the state.

Also as part of the meeting, the CPPA Board approved settlements with two data brokers accused of not registering and paying the required annual fee under the Delete Act. These settlements came shortly after the CPPA’s announcement that it was conducting a “public investigative sweep” of data broker registration compliance.

Before closing the meeting, the CPPA identified key future priorities, such as procedures for authorized agents, rules for employee data, loyalty programs, financial incentive regulations, and creating model notices for insurance and risk assessments.

Marketers that are subject to the CCPA should pay close attention to the forthcoming CCPA regulations and consider submitting comments to the CPPA when the formal rulemaking process begins soon.

Highlights of the Proposed Regulations

Amendments to Existing CCPA Regulations

  • Programmatic advertising/real-time bidding would be subject to “instantaneous” opt out requirements, changing from a 15 day period for compliance
  • A business would be required to display the status of opt-out preference signals and provide a means to confirm that opt-outs and requests to limit have been processed by the business.
  • New deletion and correction requirements would mandate that businesses ensure information “remains” deleted or corrected.
  • Businesses must provide “a way” for consumers to confirm accuracy of information maintained, even when businesses cannot provide that information to the consumer.
  • The notice of the “right to limit” would be required to be provided in the same manner in which the business collects sensitive personal information.

ADMT, Risk Assessments, and Cyber Security Audits

  • The proposed regulations provide consumers the right to (1) request information about the business’s use of ADMT with respect to the consumer, (2) opt out of the use of ADMT, and (3) appeal the business’s use of ADMT for a “significant decision” as defined in the proposed regs. (e.g., employment, credit, education).
    • Businesses would be required to disclose the “logic” used in their ADMT uses and the “output” of the ADMT, thereby potentially threatening the disclosure of trade secrets.
  • The proposed definition of “automated decision making technology” (ADMT) is very broad and could cause significant confusion regarding what requires a risk assessment and opt out. ADMT is defined to include “any technology that processes personal information and uses computation to execute a decision, replace human decision making, or substantially facilitate human decision making,” and to include artificial intelligence and profiling.
  • Businesses would be required to (1) conduct risk assessments for the (i) use of ADMT for a significant decision concerning a consumer or for “extensive profiling” (including profiling for behavioral advertising), and (ii) processing the personal information of consumers to train ADMT or AI in enumerated circumstances; (2) issue a pre-use notice with respect to ADMT; and (3) comply with restrictions on the use of personal information to train ADMT and AI.
    • The proposed definition of “behavioral advertising” is confusing, unnecessary, and extends beyond the CPPA’s authority to regulate. Behavioral advertising” is defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity—both across businesses, distinctly-branded websites, applications, or services, and within the business’s own distinctly-branded websites, applications, or services.” Under the proposed definition, “behavioral advertising” would include cross-contextual behavioral advertising but not nonpersonalized advertising. The CCPA includes no right to opt out of a business’s marketing of its own products and services to an existing consumer. The draft regulations would create a new right and would contradict the statute.
  • The CPPA proposes that businesses that process personal information that ​“presents significant risk to consumers’ privacy” must conduct a risk assessment to determine whether the risks to consumers’ privacy outweigh the benefits to the consumer, the business, other stakeholders, and the public. Risk assessments must be conducted prior to the processing and updated at least once every three years. The types of activities that could involve ​“significant risk” are broadly defined in the proposed rulemaking, including:
    • Processing activities involving the sale or sharing of personal information.
    • Processing activities involving the processing of sensitive personal information (other than in certain employment or benefits contexts).
    • Processing activities involving a significant decision concerning a consumer, extensive profiling (including for behavioral advertising), or training ADMT. All three of these categories trigger ADMT rules, as we’ve discussed above.
  • The proposed regulations list the types of information that must be included in the risk assessments, including processing details (i.e., identification of the purpose of the processing, the categories of personal information that will be processed, and how the business collects, uses, and discloses the information); the benefits of the processing including in particular expected profits for the business; possible negative impacts to consumer privacy; and how the business will safeguard against possible negative impacts.
  • The proposed regulations would require relevant individuals to prepare, contribute to, or review the risk assessment, based upon their level of involvement in the processing activity that is subject to the risk assessment (e.g., product, fraud-prevention and compliance teams), and would permit external parties to assist with conducting risk assessments (e.g., service providers, contractors, consumer advocacy organizations).
  • Businesses would be required to retain risk assessments (including updated versions) for as long as the processing continues or for five years after the completion of the risk assessment, whichever is longer.
  • The proposed regulations would require an “abridged form” of all risk assessments to be submitted to the CPPA within 24 months of the effective date of the regulations and annually thereafter. The CPPA and the CA AG also would have the right to request a risk assessment at any time, at which point a business would be required to submit such risk assessment within 10 business days of such request.
  • The proposed regulations would require businesses to conduct cybersecurity audits where the processing of consumers’ personal information presents “significant risk to consumers’ security,” defined as when the business either: (1) derives at least 50 percent of its annual revenues from “selling” or “sharing” consumers’ personal information in the preceding calendar year or (2) in the preceding calendar year had annual gross revenues in excess of $25 million and (a) processed the personal information of at least 250,000 consumers or households or (b) processed the sensitive personal information of at least 50,000 consumers.
  • The rule package includes a reference to the overlap between CPPA and the current privacy regulations in California for insurance. However, the proposed text largely fails to provide much clarity in this area.

The public comment period for the proposed CCPA regulations on ADMT, risk assessments, cybersecurity audits, and updates to the existing CCPA regulations opened on November 22, 2024. Public comment will be accepted until January 15, 2025. The 4As and other advertising industry groups will submit public comments on the regulations before the January 15, 2025 comment deadline.

Highlights of the Final Delete Act Regulations

  • The new Delete Act regulations significantly expand the scope of which businesses are considered data brokers by asserting in the regulations’ definition of “direct relationship” that, “[a] business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.”
  • The regulations require parent companies and subsidiaries to register as separate data brokers.
  • The regulations require the disclosure of products and services covered by certain laws and the related percentage of an entity’s data broker activities affected by these laws.
  • The regulations increase the data broker registration fee from $400.00 to $6,600.00 to fund the development of DROP.
  • Data brokers must disclose specific information about their data collection practices, including whether they collect consumers’ reproductive healthcare data (RHCD) or the personal information of minors (defined).
    • The definition of RHCD could be interpreted to include all data types, not just “personal information,” potentially leading to confusion. This broad definition is particularly problematic when data brokers collect only non-personal RHCD. In such cases, if a consumer requests the deletion of this RHCD, the request would likely be denied, as the data falls outside the scope of the CCPA.

 

Legal challenges to all the regulations mentioned above are likely as they progress, particularly regarding how specific provisions are interpreted and applied. The results of such lawsuits are uncertain and could significantly affect how the regulations are ultimately implemented.

A moving target when it moves to compliance, the CCPA law is expected to continue to evolve in the years ahead with new legislative amendments and new regulations that expand the scope of requirements that businesses must adhere to.

***UPDATE and CORRECTION***

The California Privacy Protection Agency’s (CPPA) new data broker regulations took effect on December 27, 2024, not in April 2025 as previously written. They are now in effect during the CPPA’s annual data broker registration period, which lasts from January 1 to January 31, 2025. Any business that operated as a data broker in 2024 is required to register during this period.

California regulations typically take effect quarterly, with at least one month between the date the Office of Administrative Law (OAL) files a regulation with the Secretary of State and the effective date, pursuant to California Government Code 11343.4(a). However, the CPPA’s regulations went into effect the day after they were filed with the Secretary. According to information obtained from the OAL and CPPA, the CPPA petitioned OAL to make the regulations effective earlier by demonstrating good cause (pursuant to Cal. Gov’t Code § 11343.4(b)(3)).

Have questions about the CCPA and Delete Act regulations? Please contact Amanda Anderson, 4As VP of Government Relations & Sustainability.

Related Posts

View All Posts
A bald man in a gray blazer writes notes during a conference. He is surrounded by people seated at tables. The atmosphere is focused and professional.

03/05/2025

White House Seeks Public Comment on U.S. AI Strategy

Learn More
A woman in a blue sweater speaks into a microphone during a meeting or conference. She is seated at a table with a cup of coffee and a smartphone in front of her. Other attendees are seated nearby, listening attentively.

03/05/2025

Oklahoma Bill Introduced to Broadly Ban DTC Pharmaceutical Advertising

Learn More

02/03/2025

U.S. Copyright Office Publishes Part 2 of AI Report, Offering Clarity on Copyright for Generative AI Outputs

Learn More
View All Posts