On July 16, 2024, the California Privacy Protection Agency (the “CPPA”) board declined to advance to formal rulemaking California Consumer Privacy Act (“CCPA”) draft regulations on cybersecurity audits, risk assessments, automated decisionmaking technology, insurance companies and updates to existing regulations. The CPPA board voted against advancing the regulations during its board meeting when it also received an update on CPPA enforcement priorities.
CPPA Board Declines to Advance Draft Regulations to Formal Rulemaking
The CPPA board decided against advancing the draft regulations, in part, because board members disagreed on the scope of the risk assessment and automated decisionmaking technology draft regulations. Board Member Alastair MacTaggart criticized the broad scope of the draft regulations. The CPPA board tasked the CPPA staff with revising the draft regulations to narrow the scope of processing activities that trigger obligations under the proposed regulations.
The CPPA board expects to review the revised draft regulations during its September meeting. If the CPPA board advances the draft regulations to formal rulemaking in September, the earliest the draft regulations could take effect is January 1, 2025, but that would require the CPPA to submit finalized regulations to the California Office of Administrative Law (“OAL”) and for the OAL to approve the rulemaking and file the proposed regulations with the secretary of state by November 30, 2024. Otherwise, the earliest date the draft regulations could take effect is April 1, 2025.
CPPA Highlights Enforcement Priorities
Deputy Director of Enforcement Michael Macko informed the CPPA board that the CPPA will investigate businesses that (i) unnecessarily request information from consumers to verify privacy requests, (ii) sell personal information without providing consumers proper notice and opt-out mechanisms, (iii) use dark patterns to prevent consumers from asserting their privacy rights, and (iv) violate the CPPA in a way that harms vulnerable populations. Deputy Director Macko maintained that the CPPA will continue enforcement related to privacy notices and policies, the right to delete, and administrative and technical processes to comply with consumer privacy rights requests.
The CPPA reported that it is building relationships with state, federal, and international regulators, including by entering into cooperation agreements, to share investigation experiences and advance its enforcement priorities.