ARTICLE
28 November 2024

Fasten Your Seatbelts: CPPA Proposes Rules On Automated Decision-Making And Cybersecurity Audits And Finalizes Data Broker Regulations

PC
Perkins Coie LLP

Contributor

Perkins Coie is a premier international law firm with over a century of experience, dedicated to addressing the legal and business challenges of tomorrow. Renowned for its deep industry knowledge and client-centric approach, the firm has consistently partnered with trailblazing organizations, from aviation pioneers to artificial intelligence innovators. With 21 offices across the United States, Asia, and Europe, and a global network of partner firms, Perkins Coie provides seamless support to clients wherever they operate.

The firm's vision is to be the trusted advisor to the world’s most innovative companies, delivering strategic, high-value solutions critical to their success. Guided by a one-firm culture, Perkins Coie emphasizes excellence, collaboration, inclusion, innovation, and creativity. The firm is committed to building diverse teams, promoting equal access to justice, and upholding the rule of law, reflecting its core values and enduring dedication to clients, communities, and colleagues.

After much anticipation, on November 8, the California Privacy Protection Agency (CPPA) Board voted to advance proposed regulations for insurance, cybersecurity audits...
United States Technology

After much anticipation, on November 8, the California Privacy Protection Agency (CPPA) Board voted to advance proposed regulations for insurance, cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) to formal rulemaking.

This comes over a year after the Board released its initial draft of the cybersecurity audit and risk assessment regulations, which it subsequently revised for discussion. Additionally, at the meeting, the Board voted to finalize the Delete Act registration rules for data brokers and increase the annual data broker registration fees and approved settlements with two data brokers.

Below is a summary of the meeting.

Kickoff of Formal Rulemaking on Cybersecurity Audits, Risk Assessments, ADMT, and Insurance. By a 4-1 vote, the Board voted to initiate formal rulemaking on proposed California Consumer Privacy Act (CCPA) regulations on a variety of topics:

  • Annual cybersecurity audits;
  • Privacy risk assessments;
  • Establishing a consumer right to access and opt out of a business's use of ADMT;
  • Updates to the CCPA, such as introducing new definitions and clarifying guidance in example scenarios; and
  • Application of the CCPA to insurance companies.

Board Member Alastair Mactaggart, who voted no on advancing the rulemaking package, expressed concern that the scope of what qualifies as ADMT is overly broad and that making ADMT a standalone trigger for conducting a risk assessment would overwhelm the CPPA with paperwork and make any enforcement ineffective. A number of industry representatives similarly voiced concern at the meeting that the proposed ADMT regulations, as currently written, would interfere with the ability of companies to advertise to their own customers and that the contemplated opt-out rights could increase bias in artificial intelligence model training data and present substantial practical obstacles. In addition, the CPPA's estimates about the cost of its proposal evoked significant concern. According to the CPPA's Standardized Regulatory Impact Assessment (SRIA), the proposed rulemaking package would impose an astounding $3.5 billion in direct costs on California businesses in the first full year and $1.08 billion in direct costs over the first 10 years (not counting costs on businesses outside California subject to the CCPA). Additionally, the SRIA estimates that the draft regulations would have a $31 billion adverse impact on investment in the state of California and result in a loss of 98,000 jobs in the state.

On November 22, the public comment period opened and will conclude on January 14, 2025.

Delete Act Regulations Finalized. The CPPA unanimously voted to finalize its proposed data broker regulations. Under the Delete Act, data brokers must register with the CPPA annually and, beginning August 1, 2026, fulfill deletion requests submitted by consumers through a centralized deletion mechanism (to be established by the CPPA by January 1, 2026). The approved regulations address a number of key definitions under the statute. By providing that "[a] business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer," the regulations are expected to significantly expand the number of businesses subject to the law. The Board also unanimously voted to increase the annual data broker registration fee to $6,600. If approved by the Office of Administrative Law, the Delete Act regulations go into effect on January 1, 2025.

Data Broker Settlements. At the meeting, the Board also unanimously voted in its closed session to approve two settlements with two data brokers alleged to have failed to register and pay an annual fee required under the Delete Act. Under the settlements, Growbots will pay $35,400 to resolve claims it failed to register between February 1 and July 26, 2024. UpLead will pay $34,400 to resolve the Enforcement Division's claims that the company failed to register between February 1 and July 21, 2024. In addition to the fines, both companies agreed to injunctive relief, including agreeing to pay the Enforcement Division's attorney fees and costs resulting from any noncompliance. These settlements are the first enforcement actions under the Delete Act and follow the Enforcement Division's announcement of an investigative sweep into data brokers on October 30.

Executive Director Soltani Announces Departure. Finally, Ashkan Soltani announced at the meeting that he is stepping down as Executive Director of the agency.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More