On November 8, 2024, the California Privacy Protection Agency (the “CPPA”) Board advanced to formal rulemaking the California Consumer Privacy Act (“CCPA”) draft regulations on cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT) and insurance. The CPPA Board also adopted the California Delete Act proposed regulations, which clarify data broker registration requirements and provide definitions for key terms under the Delete Act.
Formal Rulemaking on Cybersecurity Audits, Risk Assessments, ADMT and Insurance. The formal rulemaking package will update existing CCPA regulations, set forth cybersecurity audit and risk assessment requirements for certain businesses, provide new rights under the CCPA for consumers to access information regarding businesses’ use of ADMT and opt out of certain uses of ADMT, and provide clarity on when insurance companies must comply with the CCPA.
The earliest date that the draft regulations can take effect is April 1, 2025, following at least one 45-day public comment period. The CPPA Board must determine whether to revise the draft regulations based on comments received during that period. If the CPPA decides to substantially revise the draft regulations in a way that is not substantially related to the draft regulations (i.e., the changes are not reasonably foreseeable), the CPPA must provide an additional 45-day public comment period. Changes requiring an additional 45-day public comment period are uncommon. If the CPPA makes substantial changes to the draft regulations that are substantially related to the draft regulations (i.e., the changes are reasonably foreseeable), the CPPA must provide a 15-day public comment period. The CPPA may conduct more than one 15-day comment period before the final regulations are adopted. The draft regulations will take effect April 1, 2025, if adopted and filed with the California Secretary of State between December 1, 2024, and February 28, 2025. Otherwise, the draft regulations will take effect at a later date based on when they are filed with the Secretary of State.
Proposed Data Broker Regulations under the Delete Act. Under the Delete Act, data brokers must register with the CPPA annually and, beginning August 1, 2026, fulfil deletion requests submitted by consumers through a one-stop-shop deletion mechanism (to be established by the CPPA by January 1, 2026). The proposed regulations define key terms such as “direct relationship,” “minor” and “reproductive health care.” The new definition of “direct relationship” in particular will create issues for many businesses that have first-party relationships with customers but append customer profiles with third party demographic and other marketing data, potentially moving many parties that are not typically deemed data brokers into that category under the law. The proposed regulations also set forth data broker registration requirements and the procedures for registration changes. The proposed regulations will next be filed with the OAL for review and approval and, if approved, will become effective January 1, 2025.
The CPPA board’s announcement on the proposed regulations and the formal rulemaking can be found here. Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments surrounding CPPA rulemaking and provide updates as more information becomes available. Please contact us if you have any questions.
