On November 22, the California Privacy Protection Agency (the Agency)
published its
NPRM proposing amendments to existing regulations under the California Consumer Privacy Act (CCPA). These changes aim to enhance state consumer privacy laws by updating existing regulations, clarifying insurance company compliance with the CCPA, and operationalizing requirements for annual cybersecurity audits, risk assessments, and consumer rights regarding automated decision-making technology. The Agency also published a redline of the NPRM
here and statement of reasons
here.
The proposed regulations incorporate new requirements from three enacted bills that update and amend the CCPA, effective January 1, 2025. The three bills were AB 1008 (amending the definition of “personal information”), SB 1223 (expanding the definition of “sensitive personal information”), and AB 1824 (regarding business obligations to honor consumers’ opt-out of sale/sharing preferences).
Among other things, the proposed rule would: (i) ensure that consumers can withdraw consent to share personal information at any time; (ii) ensure that all mobile applications and webpages that collect personal information include links to required disclosures; (iii) expand guidance on obtaining consumer consent; and (iv) expand obligations for use of automated decision-making technology and artificial intelligence. The regulations also introduce new obligations for cybersecurity and risk management.
Comments to the updated proposed rules will be due on January 14, 2025.
