During the California Privacy Protection Agency’s (CPPA) meeting on November 8, 2024, it voted to proceed with formal rulemaking regarding artificial intelligence (AI) and cybersecurity audits. The CPPA’s rulemaking related to AI runs parallel to the California Civil Rights Department’s push for its own regulations related to AI.

The CPPA’s proposed regulations include details related to:

• Automated Decision-Making Technology (ADMT): the specifics related to a consumer’s right to access and opt-out of a businesses’ use of ADMT; requirements that businesses must disclose their use of ADMT and provide meaningful information about the logic involved, as well as the significance and potential consequences of such processing for the consumer.
• Cybersecurity Audits: requirements related to annual cybersecurity audits to confirm compliance with the California Consumer Privacy Act (CCPA) and other consumer privacy regulations, including the scope, methodology, and reporting requirements.
• Risk Assessments: requirements for risk assessments to identify privacy risks related to data processing activities.
• Regulation of Insurance Companies: clarifies when the CCPA applies to insurance companies.

The proposed regulations will be available for public comment for 45 days. The CPPA will also conduct public hearings for additional feedback and discussion of potential updates to the proposed regulations. The updated regulations are expected to become effective by mid-2025.