Update Applicable to:	Effective Date
All Data Brokers and Employers Subjected to the CCPA	November 22, 2024, to January 14, 2025 – Public Comments   January 1, 2025 – Effective for Data Brokers August 1, 2026 – Data Broker Registration

What happened?

On November 8, 2024, the California Privacy Protection Agency (CPPA) Board 1) adopted new regulations for data broker registration and 2) advanced the rulemaking package for Automated Decision-Making Technology (ADMT) and other areas.

Quick Summary:

• The California Privacy Protection Agency (CPPA) Board adopted new data broker registration regulations and advanced a rulemaking package for insurance, cybersecurity audits, risk assessments, and automated decision-making technology (ADMT).

• The regulations will be reviewed by the Office of Administrative Law (OAL) and, if approved, will take effect on January 1, 2025, while the ADMT rulemaking package will enter a 45-day public comment period.

What are the details?

These steps are part of the CPPA’s ongoing efforts to enhance privacy protections for Californians in response to evolving technology and data practices.

Data Broker Regulations Overview:

• Registration Requirements: The regulations include detailed registration instructions, fee payment methods, and definitions of key terms like “direct relationship” and “minor.”

• Disclosure Requirements: Data brokers must disclose their data collection practices and implement enhanced business privacy policies.

• Registration Updates: To update registration information, data brokers must log in to the designated portal, enter the new details, review for accuracy, submit the changes, and pay any applicable fees. They will then receive a confirmation receipt for the updates made.

• Fee Adjustments: Registration fees will be adjusted to cover the costs of developing and maintaining the data broker registry and the data deletion mechanism. These adjustments ensure adequate funding for these essential systems.

• Key Proposed Regulations: The CPPA Board has advanced key proposed regulations, now in the formal rulemaking phase, which update existing CCPA regulations, such as:
  • Sensitive Personal Information: Includes data from minors under 16.
  • Prohibitions on Dark Patterns: Makes prohibitions legally binding.
  • Protection After Deletion Requests: Prevents re-collection of data after deletion.
  • Opt-out Confirmation: Clear confirmation of opt-out request processing.
  • Transparency in Denied Requests: Businesses must inform consumers of their right to file a complaint if a request is denied.
  • Insurance Industry Guidance: Clarifies compliance with CCPA’s privacy requirements.

• Rulemaking for Insurance, Cybersecurity Audits, Risk Assessments, and ADMT: These proposed regulations are now in the formal rulemaking process, with a 45-day public comment period expected to run through early 2025. If adopted, the regulations will take effect immediately.
  
  • Regulation of ADMT and AI: New rules govern businesses’ use of Automated Decision-Making Technology (ADMT) and Artificial Intelligence (AI). These rules include consumer rights to request information, opt out, and appeal decisions made using ADMT.
  • Risk Assessment Requirements: Businesses must conduct detailed risk assessments for data processing, especially when using ADMT or AI for significant decisions or profiling.
  • Cybersecurity Audits for High-Risk Data Processing: Businesses that process significant volumes of personal data or derive substantial revenue from selling or sharing data must conduct annual cybersecurity audits.
  • Submission of Risk Assessments and Cybersecurity Audits: Businesses must submit their risk assessments and cybersecurity audits to the CPPA within 24 months of the regulations’ effective date and annually thereafter.
  • ADMT Rulemaking Package: The ADMT rulemaking package includes updates to existing regulations and new requirements for cybersecurity audits, risk assessments, and insurance companies. It also implements consumer rights related to ADMT, such as the right to access and opt out of certain uses. These regulations’ formal public comment period began on November 22, 2024, and will conclude on January 14, 2025.

Business Considerations

• Employers can provide their comments so the CCPA can have their input during the rulemaking process. The due date for comment submissions is January 14, 2025.

Source References

• Data Brokers Beware: California Passes a First-of-its-kind Law (VensureHR Communication)
• CPPA Announcement
• CPPA Proposed Regulations Update
• CPPA Proposed Text CHAPTER 3. Data Broker Registration.
• Related Communications:
  • CPPA Publishes New Draft Regulations That Address Risk Assessments and Cyber Audits (VensureHR Communication)
  • The CPPA Publishes Proposed Revisions to the CCPA Regulations (VensureHR Communication)
  • California to Amend the Consumer Privacy Act to Expand Personal & Sensitive Information (VensureHR Communication)

Resources

• California Civil Code Section 1798.99.80

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.