/>iOn July 24, the California Privacy Protection Agency Board unanimously voted to approve the May 9 draft of its proposed edits and additions to regulations under the California Consumer Privacy Act (CCPA), which we broke down in detail here. There were 575 pages of comments from 70 commentators regarding that last set of changes, but staff concluded that no further changes were appropriate in response to these comments and the Board agreed. So now, a final package will be prepared and presented to the Office of Administrative Law (OAL) to confirm the regulations are consistent with the CCPA and administrative procedures. That package will include more detailed explanation of why rejected comments were rejected, with the goal of providing guidance especially regarding interpretation issues. Assuming OAL approval, key implementation dates will be:
- Profiling and Automated Decision-Making (ADM): Businesses will have until January 1, 2027, to comply with the ADM technology regulations.
- Security Audits: Timing for completion of a first annual cybersecurity audit and filing an audit report with the state will depend on the size of the business:
- April 1, 2028: $100 million + gross revenue.
- April 1, 2029: between $50 million and $100 million.
- April 1, 2030: under $50 million.
- Data Processing Risk Assessments: While high-risk activities occurring on and after the effective date of the regulations (likely before the end of 2025) will be subject to assessment, businesses will have until December 31, 2027, to complete the documentation of the corresponding Risk Assessment Reports through that date, and the filing of the first annual assessment attestation would not be due until April 21, 2028.
Look for a more detailed post next week.
Also of interest is a vote by the Board to support passage of AB 322, which proposes to prohibit “sales” of precise location data, and which would also essentially prohibit its use for targeted advertising. We will keep you updated on the progress of that legislative effort.
