On Friday, the California Privacy Protection Agency’s Board convened to tackle some critical privacy issues, including the creation of a new state-managed platform where consumers can submit opt-out requests to data brokers. In a surprising turn of events, the Executive Director, Ashkan Sultani, announced his resignation, though the reasons behind his departure were not clear from what was shared during the meeting. The Board also covered a series of major rulemaking initiatives focused on automated decision-making technologies and data brokers. This blog post highlights the key takeaways from the discussion and provides clarity on the practical consequences of these developments—read on for a deeper dive into what they mean for you.
California Data Delete Act Regulations / Data Broker Registration
Summary of developments:
- In 2023, California passed the Data Delete Act, which shifted oversight of data brokers from the Attorney General to the California Privacy Protection Agency (“CPPA”). The bill requires data brokers to register, pay fees, and disclose specified information under the California Consumer Privacy Act (“CCPA”). The CPPA was also tasked with creating the Delete Request and Opt-Out Platform (“DROP”), a portal that, when fully functional, will allow users to exercise their CCPA rights with all registered data brokers through a single request, similar to the widely used FTC Do Not Call Registry. DROP is expected to go live in 2026.
- The regulations increase the data broker registration fee from $400.00 to $6,600.00 to fund the development of DROP.
- During the meeting, the final version of the Data Delete Act Regulations was unanimously approved to move forward for review by the state agency responsible for overseeing California’s rulemaking process, the Office of Administrative Law (“OAL”). After OAL approval, the regulations will go into effect without further modifications.
- A commenter reasonably raised concerns about the current definition of Reproductive Health Care Data (“RHCD”), which data brokers are required to disclose in their registration if they collect. The commenter pointed out that this definition could be interpreted to include all data types, not just “personal information,” potentially leading to confusion. This broad definition is particularly problematic when data brokers collect only non-personal RHCD. In such cases, if a consumer requests the deletion of this RHCD, the request would likely be denied, as the data falls outside the scope of the CCPA. This comment should have prompted a modest modification to clarify the definition and avoid confusion. Unfortunately, neither the staff nor the board members seemed to fully grasp the request or the benefits of making this adjustment.
What readers should expect:
- Readers should expect the rules to be final and enforceable within the next few months, with the agency prioritizing the implementation of DROP to meet its statutory deadlines. Due to the broad definition of ‘data broker,’ organizations should consult with their counsel to ensure they do not fall within the required registration, as this may be counterintuitive in some cases.
Additional resources:
- The DROP presentation deck is available here.
- The latest version of the proposed (and now adopted) regulations is available here.
- Our summary of California’s Data Delete Act is available here.
Rules on Automated Decision-making Technology, Risk Assessments, and Cybersecurity Audits (ADMT, DPIA, and Cybersecurity Rules)
Summary of developments:
- The Standardized Regulatory Impact Assessment (“SRIA”) on the draft automated decision-making technology (“ADMT”), data protection impact assessment (“DPIA”) and Cybersecurity Rules was presented to the Board at this meeting for the first time. The SRIA states that “[b]ased on a preliminary assessment using conservative approaches to assessment of combined direct economic costs and benefits, the regulatory impacts are estimated to exceed $4 billion in the first year of implementation. The CPPA’s estimates do not include the compliance costs incurred by businesses that are not based in California but that are subject to the CCPA because they do business in California. The SRIA continues: “[t]his direct impact is composed of a $3.5 billion direct cost to businesses subject to the CCPA, resulting in a much larger adverse impact on investment (-$31 billion) because it directly impacts cost and profit margins. The investment shortfall reduces current output (-$50 billion), employment (-98,000 FTE), and gross state product or GSP (-$27 billion).” For those worrying that the cost of these proposed regulations will be an unjustified burden on companies doing business in California, the CPPA posits that “[t]he benefits of stronger protections for consumers’ privacy far outweigh these costs in the long run, improving the investment climate and overcoming cumulative adjustment costs incurred by California businesses….”
- Board member Mactaggart, along with many commenters, raised concerns that the scope of the rules goes beyond what was intended by the CCPA. A key issue was the definition of behavioral advertising, which, as written, would include the use of first-party data for advertising, such as contextual advertising, and subject it to opt-out requirements. Additionally, commenters argued that the definition of ADMT is too broad, potentially requiring burdensome risk assessments for any technology involving computations. Several California business groups warned that the proposed compliance obligations could harm businesses and lead to companies relocating to more regulatory-friendly states.
- Despite the high cost and the objections, the Board voted 4 to 1, with Mactaggart voting “nay,” to advance the regulations to the formal rulemaking process.
- Chair Urban explicitly reminded commenters that moving to formal rulemaking would allow CPPA staff to fully address and revise concerns. This begins with a 45-day public comment period for the automated decision-making technology, risk assessments, cybersecurity audits, and insurance package. Given the upcoming holidays, Chair Urban did ask to extend the comment period, which was agreed upon by staff. However, the details of the extension have not been communicated formally yet.
What readers should expect:
- It is currently very unclear to what extent the current draft will be modified through the formal rulemaking process, but readers should anticipate that significant modifications are possible, making it difficult to determine when to begin the compliance process. Given this uncertainty, readers should consult with their counsel to understand which aspects of the regulations are expected to remain in the final version and begin planning for their implementation.
- Readers should be aware that litigation over the scope of the regulations is possible and even probable, depending on the content of the final draft. As the regulations evolve through the formal process, it is likely that legal challenges will arise, especially regarding the interpretation and application of certain provisions. The outcome of such litigation remains uncertain and could significantly impact the final implementation of the regulations.
Additional resources:
- If readers would like assistance with drafting and filing comments, please contact the authors or your SPB relationship partner.
- The latest draft of the regulations is available here.
- A summary of the draft regulations is available here.
- A copy of the SRIA is available here.
Other Important Developments
Resignation of the agency’s director:
- The resignation of the current director of the California Privacy Protection Agency (“CPPA”) was announced at the meeting, though the reasons for his departure remain unclear. The director has been involved with the California Consumer Privacy Act (“CCPA”) since its approval by the legislature in 2018 and has played a key role in shaping the agency’s initial strategy and the development of the current regulations. His influence has been instrumental in establishing the agency’s approach to privacy protection in California. The appointment of a new director is, therefore, a significant and critical decision, as this individual will assume the role of enforcing the rules and will have considerable discretion in determining how those efforts are carried out. Readers should remain attentive to this process, as the new director will help shape the future of privacy enforcement in California, potentially influencing how aggressively the rules are enforced, which areas are prioritized, and how flexible the implementation of the regulations may be. (See the CPPA announcement here).
Further rulemaking topics:
- The meeting concluded with a brief discussion regarding additional potential rulemaking by the Board. Staff presented a list of topics (available here) but was directed to prioritize the items on the list and incorporate additional subjects for consideration, including authorized agent requests, loyalty programs, and the insurance industry. Readers will have to wait until the prioritized list is presented to the Board to fully understand the priorities for future rulemaking.
CPPA overlap with other privacy insurance regulations:
- The rule package includes a reference to the overlap between CPPA and the current privacy regulations in California for insurance; however, the proposed text largely fails to provide clarity on this issue, and readers should not expect further clarification in the near future. Insurance companies should consult with counsel on how to best navigate this uncertainty.
The Privacy World team will closely monitor CPPA rulemaking developments and keep you informed every step of the way, ensuring you’re always up to date on the latest changes.