Privacy & Cybersecurity Law Blog

On July 16, 2024, the California Privacy Protection Agency (“CPPA”) Board held a public meeting and discussed next steps regarding its upcoming Formal Rulemaking for Automated Decisionmaking Technology, Risk Assessments, Cybersecurity Audits, Insurance, and Updates to Existing Regulations.

During the meeting, the CPPA’s General Counsel stated that the agency is in the “pre-step” phase before commencing Formal Rulemaking. In advance of the meeting, the CPPA released a draft multi-prong package, which includes proposed updates to existing CCPA regulations, , cybersecurity audits risk assessments, and the use of Automated Decisionmaking Technology (“ADMT”). The Board also released a draft Initial Statement of Reasons for the Proposed Rulemaking and a Preliminary Economic Assessment.

The draft regulations are consistent with staff updates proposed earlier this year. The newly released draft includes minor revisions, such as the addition of the term ADMT, which is defined as any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking. The draft regulations also include language on new consumer rights to access, opt-out and appeal decisions made by ADMT.  

Before commencing Formal Rulemaking, the CPPA must finalize and submit a Standardized Regulatory Impact Assessment to the Department of Finance for review and comment. Following this process, the CPPA will open Formal Rulemaking which will begin with a 45-day public comment period on the proposed regulations. The CPPA advised that public comments should address the practical effects of the proposed regulations, and encouraged stakeholders to provide any feedback including alternative regulatory approaches.  

At this time, there is no date set for the beginning of the public comment period.