The California Privacy Protection Agency released proposed CCPA rules for a variety of topics in November, as well as announcing an investigative sweep for compliance with the Delete Act. Topics include the following, which we cover in this week's California-focused blog posts:
- Automated decisionmaking: the draft revises what was previously proposed in December 2023.
- Risk assessments: the draft revises what was previously proposed in September 2023.
- Cybersecurity audits: the draft revises what was previously proposed in September 2023.
- Insurance industry: clarifies applicability of CCPA to the insurance industry.
- Data broker obligations: both adopting rules as well as an announced enforcement sweep.
Companies have until January 14, 2025 to comment on the proposed rules (for the first four topics above). The agency will then begin the formal rulemaking process, during which it can make significant changes to these drafts.
Putting It Into Practice: Companies who engage in activities that could be viewed as "automatic decisionmaking" under CCPA will want to review these new proposals. Similar review should be made of the risk assessment, audit and data broker obligations. We will look at each in turn in further posts this week.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
