The Bottom Line
- The CPPA continues to crack down on data brokers, voting to adopt regulations to clarify the Delete Act, increasing fees and conducting its first enforcement sweep.
- If approved, the data broker regulations will become effective by January 1, 2025.
- The Agency also advanced a proposed rulemaking package with regulations concerning automated decision-making technology, cybersecurity audits, artificial intelligence and sensitive personal information.
On November 8, 2024, the California Privacy Protection Agency (CPPA) Board voted to adopt new regulations clarifying the California Delete Act. The Board also voted to advance its proposed rulemaking package and updates to several regulations — namely, regulations concerning automated decision-making technology, cybersecurity audits, artificial intelligence and sensitive personal information.
Data Broker Obligations
The CPPA’s new Data Broker regulations seek to clarify the California Delete Act. As discussed in our previous alert, the Delete Act has tasked the CPPA with creating an “accessible deletion mechanism,” (known as the Delete Request and Opt-out Platform or “DROP”) allowing consumers to make a single personal information deletion request that is binding on all data brokers, as opposed to opting out of each registered data broker one by one. As of November 2024, there are 527 registered businesses in the
2024 Data Broker Registry
Under the new regulations, the CPPA has clarified several vital areas, such as regulation and information submission requirements, as well as the procedures for registration changes. The regulations also clarify the Delete Act’s threshold criteria for consideration as a data broker. The new regulations make clear that a business is considered a data broker if it “sells personal information about the consumer that the business did not collect directly from the consumer,” even though the business has other services where it does have a direct relationship with the consumer. The result is that the definition of “data broker” will include a wider range of businesses. Since a business could be a data broker for some services and not a data broker for others, the regulation now requires data brokers to disclose information about their exempt data collection practices. Finally, the Board voted to increase the State’s annual data broker registration fee and established that the fee is nonrefundable and cannot be prorated. The regulations will be filed with the Office of Administrative Law and, if approved, will become effective by January 1, 2025.
On October 30, 2024, the CPPA announced a public investigative enforcement sweep for compliance with the Delete Act. Since this announcement, the Board voted to approve its first two settlements with two data brokers, Growbots, Inc. and UpLead LLC, for failing to register and pay the fee for the registry. Under the settlements, Growbots will pay $35,000, and UpLead will pay $34,400 to resolve the CPPA Enforcement Division’s claims. This first investigative sweep and set of settlements underscores the imperative that data brokers adhere to the requirements of the Delete Act and remain attentive to the new regulations being enacted by the CPPA.
Automated Decision-making Technology
The CPPA board also voted to advance proposed regulations on automated decision-making technology (ADMT). ADMT is “any system, software, or process that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking, such as tech derived from machine-learning and artificial intelligence.” However, ADMT does not include web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam- and robocall-filtering, spellchecking, calculators, databases or spreadsheets. These forms of technology fall outside the scope of ADMT so long as they do not replace or “substantially facilitate” human decision-making, or execute a decision.
Under the new regulations, businesses that utilize ADMT will have to provide consumers with a Pre-use Notice explaining the purpose of the ADMT, and informing consumers about their rights to access information about the ADMT and opt-out of the ADMT when used by the business for:
- a decision that produces legal or similarly significant effects concerning a consumer;
- profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant or student; or
- profiling a consumer while they are in a publicly accessible place.
The regulations also provide exceptions to these disclosure requirements where ADMT is used for certain business purposes, such as protecting consumer health and safety, and providing goods and services requested by a consumer. Overall, the regulations seek to provide consumers with transparency and autonomy when engaging with businesses that utilize these new forms of technology.
Additional Proposed Amendments
Cybersecurity Audits
In order to mitigate risks to the security of consumers’ personal information, the CPPA’s proposed regulations require businesses to complete a cybersecurity audit and, in some cases, conduct a risk assessment. Businesses must complete their first cybersecurity audit within 24 months from the effective date of the regulations. While the auditor may be internal or external, the auditor must exercise “objective and impartial judgment.” The audit must assess, document and summarize each applicable component of the business’s cybersecurity program, identify and address any gaps or weaknesses, and identify any corrections or amendments to prior audits. Following the completion of the first audit, businesses must conduct a cybersecurity audit every calendar year and submit a written certification to the CPPA.
Artificial Intelligence
The Board voted to advance a proposal on artificial intelligence (AI), defined as a machine-based system that infers how to generate outputs that can “influence physical or virtual environments,” given the potential for significant risks to consumers’ privacy. Under the proposed regulations, businesses must conduct a risk assessment to identify the categories of personal information being processed by AI. Additionally, businesses must determine how they have maintained or will maintain the quality of this information. The regulations also establish guidelines for businesses that train or provide AI systems to third parties, including information that must be provided to the recipient businesses.
Sensitive Personal Information
A cornerstone of the CPPA’s proposed regulations is new protections for sensitive personal information.
As outlined in an expanded definition in the new rules, sensitive personal information is personal information that reveals a consumer’s social security number, precise geolocation, and genetic data, among other delicate data elements. However, sensitive personal information does not include information that is “publicly available.” The proposed regulations include new requirements for sensitive personal information regarding risk assessments, cybersecurity audits, and required notice and disclosure guidelines work in tandem to ensure this information’s security.
The CCPA Board is in the process of discussing the proposed regulations and is expected to provide feedback by February 2025.
Robert Chappell, an intern in the Advertising + Marketing and Privacy, Technology + Data Security groups at Davis+Gilbert, assisted with this alert.