Fasten Your Seatbelts: CPPA Proposes Rules on Automated Decision-Making and Cybersecurity Audits and Finalizes Data Broker Regulations

After much anticipation, on November 8, the California Privacy Protection Agency (CPPA) Board voted to advance proposed regulations for insurance, cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) to formal rulemaking. 

This comes over a year after the Board released its initial draft of the cybersecurity audit and risk assessment regulations, which it subsequently revised for discussion. Additionally, at the meeting, the Board voted to finalize the Delete Act registration rules for data brokers and increase the annual data broker registration fees and approved settlements with two data brokers.

Below is a summary of the meeting.

Kickoff of Formal Rulemaking on Cybersecurity Audits, Risk Assessments, ADMT, and Insurance. By a 4-1 vote, the Board voted to initiate formal rulemaking on proposed California Consumer Privacy Act (CCPA) regulations on a variety of topics:

• Annual cybersecurity audits;
• Privacy risk assessments; 
• Establishing a consumer right to access and opt out of a business’s use of ADMT; 
• Updates to the CCPA, such as introducing new definitions and clarifying guidance in example scenarios; and 
• Application of the CCPA to insurance companies.

Board Member Alastair Mactaggart, who voted no on advancing the rulemaking package, expressed concern that the scope of what qualifies as ADMT is overly broad and that making ADMT a standalone trigger for conducting a risk assessment would overwhelm the CPPA with paperwork and make any enforcement ineffective. A number of industry representatives similarly voiced concern at the meeting that the proposed ADMT regulations, as currently written, would interfere with the ability of companies to advertise to their own customers and that the contemplated opt-out rights could increase bias in artificial intelligence model training data and present substantial practical obstacles. In addition, the CPPA’s estimates about the cost of its proposal evoked significant concern. According to the CPPA’s Standardized Regulatory Impact Assessment (SRIA), the proposed rulemaking package would impose an astounding $3.5 billion in direct costs on California businesses in the first full year and $1.08 billion in direct costs over the first 10 years (not counting costs on businesses outside California subject to the CCPA). Additionally, the SRIA estimates that the draft regulations would have a $31 billion adverse impact on investment in the state of California and result in a loss of 98,000 jobs in the state. 

On November 22, the public comment period opened and will conclude on January 14, 2025. 

Delete Act Regulations Finalized. The CPPA unanimously voted to finalize its proposed data broker regulations. Under the Delete Act, data brokers must register with the CPPA annually and, beginning August 1, 2026, fulfill deletion requests submitted by consumers through a centralized deletion mechanism (to be established by the CPPA by January 1, 2026). The approved regulations address a number of key definitions under the statute. By providing that “[a] business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer,” the regulations are expected to significantly expand the number of businesses subject to the law. The Board also unanimously voted to increase the annual data broker registration fee to $6,600. If approved by the Office of Administrative Law, the Delete Act regulations go into effect on January 1, 2025.

Data Broker Settlements. At the meeting, the Board also unanimously voted in its closed session to approve two settlements with two data brokers alleged to have failed to register and pay an annual fee required under the Delete Act. Under the settlements, Growbots will pay $35,400 to resolve claims it failed to register between February 1 and July 26, 2024. UpLead will pay $34,400 to resolve the Enforcement Division’s claims that the company failed to register between February 1 and July 21, 2024. In addition to the fines, both companies agreed to injunctive relief, including agreeing to pay the Enforcement Division’s attorney fees and costs resulting from any noncompliance. These settlements are the first enforcement actions under the Delete Act and follow the Enforcement Division’s announcement of an investigative sweep into data brokers on October 30. 

Executive Director Soltani Announces Departure. Finally, Ashkan Soltani announced at the meeting that he is stepping down as Executive Director of the agency.

                                    *                       *                       *                       *

Perkins Coie’s Privacy & Security practice has assisted clients in commenting on a number of CCPA proposed rules, and we will continue to keep readers informed of developments in this area.