The California Privacy Protection Agency (CPPA) continues to evolve as a central force in privacy regulation, advancing new rules and enforcement priorities that carry significant implications for businesses operating in California and beyond.
During its November 8, 2024, meeting, the CPPA made notable progress in several areas, including data broker regulations under the Delete Act, automated decision-making technology (ADMT) rulemaking, and the announcement of impending leadership changes.
Below, we break down these updates and what they mean for organizations subject to the CCPA and its related regulations.
1. Data Broker Regulations and the Delete Act
The CPPA finalized new regulations clarifying provisions of California’s Delete Act, passed in October 2023, which expands oversight, transparency, and accessibility over data brokers. Key elements of the new rules include:
- Expanded Scope: Businesses with indirect relationships to California consumers and those selling personal data collected from third parties may now qualify as data brokers, even if they interact directly with California consumers in other contexts.
- Transparency and Deletion Obligations: Data brokers must honor California consumer data deletion requests every 45 days, including for newly collected personal data, and disclose personal data collection practices.
- Registration Fee Increase: The annual fee for data data brokers has increased to $6,600 to fund the implementation of the Delete Act, including the Delete Request and Opt-Out Platform (DROP), which will allow California consumers to make unified deletion requests starting in 2026.
For businesses, this means heightened compliance obligations, particularly for those that operate in data-intensive industries or rely on data broker partnerships. Businesses should assess whether they fall under this expanded definition and ensure they are registered with the CPPA. Non-compliance could result in penalties of $200 per day and enforcement action, as evidenced by recent settlements with data brokers, Growbots, Inc. and UpLead LLC.
2. Formal Rulemaking on Automated Decision-Making Technology (ADMT)
The CPPA advanced its much-anticipated ADMT regulations to formal rulemaking, signaling further regulatory oversight of artificial intelligence (AI) and algorithmic decision-making.
The draft rules, which have been under discussion since March 2023, propose:
- Requiring risk assessments for businesses using ADMT tools;
- Allowing California consumers to opt out of automated profiling and other uses of their personal data in algorithmic decision-making; and
- Establishing California consumer rights to appeal decisions made using ADMT.
Critics argue the rules may stifle innovation or be overtaken by rapidly evolving AI technologies, while supporters stress the urgency of safeguards against discriminatory or harmful decision-making.
For businesses, this marks the beginning of another compliance challenge. Businesses that leverage AI for hiring, creditworthiness evaluations, targeted advertising, or similar activities will need to implement robust governance frameworks to meet evolving risk assessment and transparency requirements. These rules, expected to be finalized in 2025, could also have downstream impacts on smaller businesses through partnerships with larger companies subject to compliance.
3. Impending Leadership Changes at the CPPA
CPPA Executive Director Ashkan Soltani announced his resignation effective January 2025. Soltani has been instrumental in establishing the CPPA as a key enforcement authority, particularly around compliance with the California Consumer Privacy Act (CCPA) and the Delete Act. His exit marks a transitional period for the agency as it oversees increasingly complex regulatory mandates.
While the CPPA has grown significantly under Soltani’s leadership, with 45 employees and seven divisions, his departure creates some uncertainty regarding the agency’s future direction and continuity of its aggressive enforcement approach.
Businesses should anticipate potential shifts in enforcement priorities or procedural changes as new leadership steps in.
What These Changes Mean for Companies
The CPPA’s latest developments reflect an intensifying regulatory environment that businesses cannot afford to overlook. Key takeaways for companies include:
- Heightened Obligations for Data Brokers: Businesses must assess whether they qualify as data brokers under the expanded definition and ensure compliance with registration and deletion requirements under the Delete Act. Partnering with non-compliant brokers could expose companies to regulatory compliance and enforcement risk.
- Proactive AI Governance: Businesses relying on AI or ADMT tools should prepare for potential mandates requiring risk assessments, opt-out rights, and appeals processes for consumers. Now is the time to evaluate algorithmic decision-making systems and establish internal oversight mechanisms to mitigate risks.
- Strategic Privacy Investments: Compliance with California’s growing privacy mandates will require robust data governance, transparency, and security measures. Companies that streamline their privacy programs now will be better positioned to adapt to future regulatory changes, including those likely to emerge from CPPA leadership transitions.
Looking Ahead
As California continues to set the tone for U.S. privacy regulation, companies must stay ahead of emerging requirements to avoid costly fines and reputational damage. Whether it’s meeting the transparency and deletion requirements of the Delete Act or preparing for ADMT rules, proactive compliance planning is essential.