Posted

CPPA Continues Rulemaking on AI, the New Delete Request and Opt-Out Platform (DROP), Cybersecurity Audits and Privacy Risk Assessments

The California Privacy Protection Agency (CPPA) has released the agenda for its upcoming public board meeting on October 4, 2024. This meeting is set to cover important regulatory and enforcement matters related to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

Here’s a breakdown of the substantive agenda:

Discussion and Possible Action on Proposed Regulations, Sections 7600-7605, Implementing Data Broker Registration Requirements, Including Possible Adoption or Modification of the Text
In 2023, Senate Bill 362 (Chapter 709, Statutes of 2023), known as the Delete Act, was signed into law, which transferred the responsibility for the new data broker registry from the Attorney General to the California Privacy Protection Agency, beginning January 1, 2024.

In the memo provided to the CPPA board, the Agency administered the registry for the first time this year and over 500 data brokers have registered.  The proposed regulations largely memorialize the Agency’s existing practices related to the data broker registry, but also clarify key terms, concepts and procedures.

The memo also states that the accessible deletion mechanism will be addressed in a separate rulemaking package.

Further, the memo recaps that during the May 10, 2024, board meeting, the California Privacy Protection Agency Board voted to move the proposed regulations to formal rulemaking. Since that time, the Agency has completed the public comment period—which ran from July 5 to August 20—and held a hearing regarding the proposed regulations on the final day.

The memo states that the Agency received three oral and 18 written comment submissions from a total of 24 distinct entities, including data brokers, consumers, public interest groups, think tanks, law firms, political organizations, and private sector companies. These submissions resulted in 138 unique comments for the Agency to respond to, and the responses to all the comments are in the draft Final Statement of Reasons (FSOR).

Board Update Regarding Development and Implementation of the Delete Request and Opt-Out Platform (DROP) and Associated Fees, Pursuant to SB 362.
The CPPA will present the key takeaways from public engagement regarding DROP, which are included in the meeting materials and are listed below.

  • Key identifiers used to identify a consumer record: full name, email, phone, DOB, Mobile Advertising ID (MAID);
  • API preferred over SFTP or email;
  • Dedicated help center;
  • Broad range of identity verification practices, including no verification, email only, government identification, among others.
  • Maintain a suppression list

The DROP Privacy Overview in accordance with Cal. Civ. Code§ 1798.99.86(b)(2), includes,

  • Separate deletion requests into four lists by identifiers
    • Phone
    • Email
    • Full name, date of birth, address
    • Pseudonymous IDs (such as MAID)
  • One-way hash of all data
  • Data minimization practices

Next steps for DROP system:

  • Finalize Stage 2 artifacts
  • Procurement Select vendor
  • System construction
  • DROP regulations
  • System testing
  • System launch (2026)
  • Public awareness campaign
  • User education

Discussion and Possible Action to Advance Draft Regulations to Formal Rulemaking for Updates to Existing Regulations, Insurance, Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking Technology
The Agency has drafted proposed regulations that do the following: (1) update existing CCPA regulations; (2) clarify when insurance companies must comply with the CCPA; (3) operationalize requirements to complete an annual cybersecurity audit; (4) operationalize requirements to conduct a risk assessment; and (5) operationalize consumers’ rights to access and to opt out of businesses’ use of automated decisionmaking technology (ADMT).

As provided in the memo to the CPPA board by the CPPA staff, these proposed regulations are accompanied by an Initial Statement of Reasons (ISOR) that describes the purpose and necessity of the proposed regulations. The proposed regulations and ISOR have been modified since the July 2024 board meeting to do the following:  (1) remove proposed section 7005, which addressed the consumer price index increase, because this was addressed via legislation (AB 3286, statutes of 2024); (2) detail the proposed regulations’ benefits; (3) incorporate the Standardized Regulatory Impact Assessment and address statewide economic impacts; (4) address regulatory alternatives; (5) list the materials relied upon; and (6) make nonsubstantial grammatical changes, such as updating cross-references and updating citations to the CCPA.

As mentioned in the memo, the CPPA staff will recommend the Board advance the proposed regulations to formal rulemaking, which will provide the public with a formal opportunity to provide written and oral comments to the Agency on the proposed regulations. After receiving public comments, the Board will have additional opportunities to discuss, and potentially update, the proposed regulations.  

Future Rulemaking Plans
We also expect the CPPA to address its plans for future rulemaking efforts regarding cybersecurity audits, risk assessments and automated decision-making technology.

You can review the full agenda here. Additional materials for the meeting, including the CPPA’s Initial Statement of Reasons for Data Broker Regulations, can be accessed here.

Stay tuned for further updates following the meeting.