A View From California: CPPA Advances Key Privacy Regulations and Data Broker Rules
Authors
Myriah V. Jaworski , Ali Bloom
On Nov. 8, the California Privacy Protection Agency (CPPA) Board voted to advance several significant privacy regulations, including new provisions under the CCPA affecting data brokers, as well as the initiation of the formal rulemaking process for additional regulations covering insurance, cybersecurity audits, risk assessments, and automated decision-making technologies (ADMT).
If adopted, these regulations will have significant implications for businesses operating in California, particularly regarding consumer privacy rights, data broker registration, and data processing practices.
Regulation of ADMT and Artificial Intelligence
First, the CPPA Board voted to advance proposed regulations on automated decision-making technologies (ADMT), artificial intelligence (AI), risk assessments, and cybersecurity audits to formal rulemaking.
Key provisions of these regulations include:
- Regulation of ADMT and AI: New rules would govern the use of ADMT and AI by businesses.
- “ADMT” is defined as any technology that processes personal information and uses computation to execute a decision, replace human decision-making, or substantially facilitate human decision-making.
- “AI” is defined as a machine-based system that infers, from the input it receives, how to generate outputs that can influence physical or virtual environments. Artificial intelligence may do this to achieve explicit or implicit objectives. Outputs can include predictions, content, recommendations, or decisions. Different artificial intelligence varies in its levels of autonomy and adaptiveness after deployment. For example, artificial intelligence includes generative models, such as large language models, that can learn from inputs and create new outputs, such as text, images, audio, or video; and facial- or speech-recognition or -detection technology.
Under these rules, consumers would have the right to:
- Request information about businesses’ use of ADMT
- Opt-out of ADMT
- Appeal decisions made using ADMT, particularly in areas like employment, credit, and education.
- Risk Assessment Requirements for ADMT, AI, and Sensitive Personal Information: Businesses would be required to conduct detailed risk assessments for data processing, especially when using ADMT or AI for significant decisions or profiling. These assessments must identify:
- The purpose of processing
- The types of personal information involved
- The potential impacts on consumers (both positive and negative)
- The safeguards in place to protect consumer privacy.
- Timing and Documentation for Risk Assessments: Risk assessments must be conducted prior to starting data processing activities and updated at least every three years or when there is a material change. These assessments must be documented in detail and retained for five years or as long as the data processing continues.
- Cybersecurity Audits for High-Risk Data Processing: Businesses that process significant volumes of personal data or derive substantial revenue from selling or sharing data will be required to conduct annual cybersecurity audits. These audits must evaluate the business’s cybersecurity measures, including encryption, network monitoring, vulnerability testing, and incident response. A senior executive or board member must certify the audit’s completion and submit it to the CPPA annually.
- Submission of Risk Assessments and Cybersecurity Audits: Businesses must submit their risk assessments and cybersecurity audits to the CPPA within 24 months of the regulations’ effective date, and annually thereafter. If requested, businesses must provide updated risk assessments within 10 business days.
Data Broker Registration Requirements
Next, the CPPA also proposed updates to the data broker registration process under California Civil Code Section 1798.99.80. These changes clarify key definitions, outline procedures for updating registrations, and impose additional disclosure requirements regarding data collection practices, especially around sensitive data. Key aspects of the new proposed regulations include:
- Clarification of Key Terms:
- “Direct Relationship:” A “direct relationship” is defined as a consumer’s intentional interaction with a business to obtain, access, purchase, use, or request products or services within the past three years. This clarifies when businesses can claim an exemption from the “data broker” definition based on having a direct relationship with consumers.
- “Minor:” A “minor” is defined as anyone under the age of 16, aligning with existing California laws on the collection of data from children.
- “Reproductive Health Care:” The regulations expand the definition of reproductive health care to include information about contraception, fertility, sexual health, abortion care, and even data from dating apps related to sexual history or family planning. Inferences about these topics are also covered, broadening the scope of sensitive data under the regulations.
- Registration Fee Increase: Starting in January 2025, the annual registration fee for data brokers will increase to $400. This fee adjustment is intended to help cover the costs of maintaining the data broker registry and deletion mechanism as directed by the Legislature.
- Data Collection Disclosures: Data brokers will be required to disclose detailed information about their data collection practices, particularly for any exempted data collection. For example, businesses with a direct relationship with consumers must explain the nature of their exempt practices and how they handle sensitive data.
- Disclosure of Other Legal Regulations: Data brokers will need to disclose how their activities are regulated by other laws (e.g., FCRA, GLBA, CMIA), including:
- The types of personal information collected and sold under these laws.
- The specific products or services covered by these laws.
- The proportion of data collected and sold that is subject to these laws, compared to the business’s overall data collection practices.
These proposed regulations are now with the Office of Administrative Law for review, and, if approved, will take effect on Jan. 1, 2025.
Key Proposed Regulations
The CPPA Board has voted to move forward with several key proposed regulations, which are now in the formal rulemaking phase. These updates to existing CCPA regulations include:
- Expanded Definition of “Sensitive Personal Information”: The proposed regulations broaden the definition of sensitive personal information to include data from minors under the age of 16. This gives minors more control over their personal data, including the right to direct businesses to limit the use and disclosure of their information.
- Expanded Prohibitions on Dark Patterns: The regulations codify recent CPPA enforcement advisories, making prohibitions on dark patterns legally binding.
- Enhanced Privacy Policy Requirements: Businesses will be required to provide more detailed information in their privacy policies, including:
- The timing of personal data collection.
- The categories of third parties with whom data is sold or shared.
- Protection Against Re-collection After Deletion Requests: The regulations mandate that businesses take measures to prevent the re-collection of a consumer’s data after their deletion request has been fulfilled.
- Opt-out Processing Confirmation: Businesses must provide a clear signal to consumers, confirming whether their opt-out requests regarding the sale or sharing of data have been successfully processed.
- Transparency in Denied Rights Requests: If a business denies a consumer’s rights request, it must inform the consumer of their right to file a complaint with the Attorney General or another relevant agency.
- Guidance for the Insurance Industry: The proposed regulations offer specific guidance for insurers, clarifying when they must comply with CCPA’s privacy and risk assessment requirements. However, insurance companies will not be subject to these requirements when engaged in “insurance transactions” as defined in the California Insurance Code.
Next Steps and Timeline
With the CPPA board’s votes, the proposed regulations will now undergo a 45-day public comment period, which is expected to run through early 2025. Following the comment period, the CPPA may issue revised proposals, followed by a 15-day comment period, or proceed with adopting the regulations as written. If adopted, the regulations will take effect immediately.
For more details on the rulemaking process and to review the full text of the proposed regulations, visit the CPPA’s Laws & Regulations webpage.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.