Proposed Regulations on CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Companies

On November 8, 2024, the California Privacy Protection Agency (Agency) Board voted to commence formal rulemaking on the following regulatory subjects: CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Companies. Specifically, the proposed regulations seek to (1) update existing CCPA regulations; (2) implement requirements for certain businesses to conduct risk assessments and complete annual cybersecurity audits; (3) implement consumers’ rights to access and opt-out of businesses’ use of ADMT; and (4) clarify when insurance companies must comply with the CCPA.

Notice Register Publication Date: November 22, 2024

Status of the Proposal: The public comment period for these proposed regulations is now open and closes on January 14, 2025, at 6:00 p.m. Pacific Time. More information about how to submit a written comment can be found in the Notice of Proposed Rulemaking in the rulemaking documents below. The Agency’s Board will determine whether to adopt or further modify the proposed regulations at a future Board Meeting.

A. Documents

January 14, 2025 - Notice of Proposed Rulemaking and Related Documents

• Notice of Proposed Rulemaking
• Text of Proposed Regulation
• Initial Statement of Reasons
• Initial Statement of Reasons Appendix A: Standardized Regulatory Impact Assessment
• Economic and Fiscal Impact Statement (STD 399)

B. Public Comments

Comments received during the 45 Day Comment Period will be linked below.