At IAPP GPS 2024, CPPA Executive Director Tom Kemp gave a clear message: the agency is shifting into high gear—expanding its regulatory scope and sharpening its enforcement focus.

🔍 Here's what to watch:

🛠️ New rules coming:

The CPPA is preparing to finalize regulations on automated decision-making (ADMT), cybersecurity audits, and implementation of the Delete Act—which includes a new portal (DROP) allowing Californians to request deletion of their data from all registered data brokers.

⚖️ More enforcement, more clarity: The agency is increasing enforcement and intends to "telegraph" its priorities. Watch for guidance on core CCPA rights like access, deletion, and data minimization. The soft launch is over.

📊 Internal audit power: CPPA is hiring a chief auditor and investigators to operationalize annual cybersecurity audits—a CPRA requirement with EU-style accountability.

🤖 AI rules coming fast: Upcoming ADMT rules include opt-out rights for personal-information-based AI systems. While generative AI may see carve-outs, the CPPA is laser-focused on how personal data powers automated decision-making. As Kemp put it, the goal is "guardrails, not brakes."

💰 And yes—it'll be expensive: Governor Newsom's office has projected a $3.5B cost in year one alone to implement new automation rules. But for many businesses, non-compliance will cost more.

✅ What it means for your privacy program:

Get involved in the rulemaking process this summer

Budget and plan for audit-readiness

Monitor ADMT definitions and opt-out requirements

Prepare for a more assertive enforcement landscape

California isn't slowing down. Are you keeping up?

