New CPPA Regulations for Data Brokers and ADMT Rulemaking Package Advance

On November 8, 2024, the California Privacy Protection Agency (CPPA) Board voted to adopt new regulations for data broker registration requirements. The CPPA Board also voted to advance proposed rules for insurance companies, cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) to the formal rule making process. We wrote about these proposed rules in a July 2024 update.

The new regulations regarding data broker registration requirements clarify provisions to California’s Delete Act which went into effect last year and requires data brokers to register with the CPPA. Specifically, these clarifications include:

1. When registering as a data broker with the CPPA, data brokers must pay by credit card and also pay associated third-party fees for processing electronic payments, unless the data broker demonstrates that it cannot pay by credit card and is then authorized by the CPPA to instead pay by debit card, check, or wire transfer.
2. Further defining and clarifying new terms including:
   1. “Direct relationship,” which means that a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years. The regulations further state that a consumer does not have a “direct relationship” with a business if the purpose of their engagement is to exercise any right described under Title 1.81.5 of Part 4 of Division 3 of the Civil Code, or for the business to verify the consumer’s identity. A business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.
   2. “Minor,” which means a consumer the data broker has actual knowledge is less than 16 years of age. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
   3. “Reproductive health care,” which means any of the following:
      1. Information about a consumer searching for, accessing, procuring, using, or otherwise interacting with goods or services associated with the human reproductive system, which includes goods such as contraception (e.g., condoms, birth-control pills), pre-natal and fertility vitamins and supplements, menstrual-tracking apps, and hormone-replacement therapy. It also includes, but is not limited to, services such as sperm- and egg-freezing, In Vitro Fertilization, abortion care, vasectomies, sexual health counseling; treatment or counseling for sexually transmitted infections, erectile dysfunction, and reproductive tract infections; and precise geolocation information about such treatments.
      2. Information about the consumer’s sexual history and family planning, which includes information a consumer inputs into a dating app about their history of sexually transmitted infections or desire to have children is considered sexual history and family planning information.
      3. Further inferences made about the consumer with respect to the criteria stated above.
3. Clarifying procedures for registration changes, including:
   1. If a data broker was erroneously registered with the CPPA, the business must submit to the CPPA a written request for removal from the registry explaining why the business should not be included on the registry with supporting evidence.
   2. Data brokers may contact the CPPA electronically in writing to update their current registration at any time to reflect (i) a change in name, email, or phone number of the point of contact; (ii) a change in the data broker’s public-facing contact information; or (iii) a change in the data broker’s public-facing website addresses.

The proposed rulemaking package includes:

1. Updates to existing CCPA regulations;
2. Clarifications on when insurance companies must comply with the CCPA;
3. Implementation of requirements for certain businesses to complete annual cybersecurity audits;
4. Implementation of requirements for certain businesses to conduct risk assessments; and,
5. Establishment of consumers’ rights to access and opt-out of business’ use of ADMT.