CPPA Adopts New Regulations for Data Brokers and Advances ADMT Rulemaking Package

News:

SAN FRANCISCO — The California Privacy Protection Agency (CPPA) Board voted on November 8 to adopt new regulations regarding data broker registration requirements. In addition, the board voted to advance the proposed rulemaking package for insurance, cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT), and updates to existing regulations, to the formal rulemaking process.

The data broker registration regulations will next be filed with the Office of Administrative Law for review and approval. If approved, the regulations will become effective by January 1, 2025. The larger rulemaking package, which includes provisions implementing consumers’ rights with respect to ADMT, will move to a 45-day formal public comment period, commencing the formal rulemaking stage for the proposal.

“The advancement of each of these regulation packages is crucial for protecting Californian’s privacy rights,” said Executive Director Ashkan Soltani, “Technology is evolving at a record pace, and we must innovate and evolve as well. The board’s vote today is an important next step in the Agency’s mission, and I applaud the care and thoughtfulness that went into developing the draft rules.”

Data Broker Regulations

The newly adopted regulations clarify provisions in the Delete Act, which requires data brokers to register with the CPPA.

“After administering the data broker registration process for the first time in January of this year, we determined that more clarity was needed,” said General Counsel Philip Laird. “These rules refine the procedures for data brokers and increase public awareness.”

The newly adopted data broker regulations include provisions to:

  • Clarify registration requirements; Define important terms such as “direct relationship,” “minor,” and “reproductive health care”;
  • Require data brokers to disclose specific information about their exempt data collection practices; and
  • Clarify procedures for registration changes.

Separately, the Board also voted to adjust the data broker registration fee for the January 2025 registration period to cover the costs to develop and maintain the registry and the deletion mechanism as directed by the Legislature.

A copy of the proposed regulations can be found on the Agency’s website.


Rulemaking for Insurance, Cybersecurity Audits, Risk Assessments and ADMT

The Board has also voted to move proposed regulations for insurance, cybersecurity audits, risk assessments, and ADMT into formal rulemaking.

The proposed rulemaking package:

  • Updates existing CCPA regulations;
  • Clarifies when insurance companies must comply with the CCPA;
  • Implements requirements for certain businesses to complete annual cybersecurity audits;
  • Implements requirements for certain businesses to conduct risk assessments; and
  • Establishes consumers’ rights to access and opt-out of businesses’ use of ADMT.

The proposed regulations are based on several years of preliminary rulemaking activities, including receiving written comments from the public, hosting public stakeholder sessions through the state, and meeting with stakeholders to receive invaluable feedback.

The package now moves into the formal rulemaking process, where the public will have the opportunity to provide formal written and oral comments to CPPA on the regulations. After receiving public comments, the Board will have additional opportunities to discuss and potentially update the proposed rules.

Visit CPPA’s Laws & Regulations webpage to learn more about the rulemaking process.

About Us

The California Privacy Protection Agency (CPPA) is committed to promoting the education and awareness of consumers’ privacy rights and businesses’ responsibilities under the California Consumer Privacy Act.

Individuals can visit privacy.ca.gov to access helpful and up-to-date information on how to exercise their rights and protect their personal information. In addition, the Agency’s website provides important information about CPPA board meetings, announcements, and the rulemaking process.