The California Privacy Protection Agency (CPPA) announced the formal public comment period for its latest proposed rulemaking package, which includes updates to existing regulations and introduces new guidelines for automated decision-making technology (ADMT), cybersecurity audits, risk assessments and insurance companies.
Members of the public have until January 14, 2025, to submit comments.
This long-awaited rulemaking package arrives after extensive initial public feedback and stakeholder sessions held across California. A divided board voted to advance the package during its November 8, 2024, meeting, despite ongoing questions over the proposed ADMT regulations and how it relate to artificial intelligence (AI).1 Board members anticipate that moving the rulemaking process forward will enable them to leverage additional public comments to refine the details surrounding topics within the proposed ADMT regulations, such as the scope of definitions and consumer opt-out rights.
The board agreed to extend the public comment period beyond the usual 45 days to ensure ample opportunity for the desired level of feedback, in light of the holiday season.
Rulemaking Package Components
The proposed regulations include several significant updates and new requirements, including:
- Automated Decision-Making Technology (ADMT): The proposed regulations introduce provisions to implement consumers' rights to access and opt out of businesses’ use of ADMT, intended to increase transparency and control for consumers over automated systems that impact consumer choices and behavior. The current definition of ADMT under the proposed regulations includes “any technology that processes personal information and uses computation” to execute decisions. Businesses would be required to provide pre-use notice of ADMT, an explanation of the logic used, as well as a means to request an opt-out, and request plain-language explanations of ADMT output with respect to the consumer.
- Annual Cybersecurity Audits and Risk Assessments: Certain businesses whose processing of consumer personal information presents a “significant risk” to consumer security would be required to complete yearly cybersecurity audits, along with comprehensive risk assessments to identify and address potential privacy risks related to their data processing activities. Businesses that process personal information to train ADMT or AI will be subject to additional risk assessment requirements.
- Insurance Companies' Compliance: The package also clarifies when insurance companies must comply with the California Consumer Privacy Act (CCPA), aiming for greater consistency in the application of the law across industries.
Next Steps
When the comment period ends on January 14, 2025, the CPPA will hold a hybrid public meeting from 2 p.m. to 6 p.m. PST. Attendees can participate either in person at the CPPA's Sacramento office or virtually.
Following the comment period, the CPPA may issue revised proposals, followed by an additional 15-day comment period, or proceed with adopting the regulations as written. If adopted, the regulations will take effect immediately.
For more information on the proposed rulemaking package and to access the public comment portal, visit the CPPA's website. Individuals wishing to provide written comments can email them to regulations@cppa.ca.gov or submit them by mail to the CPPA’s headquarters.
Please contact a member of Akin’s cybersecurity, privacy and data protection team if you have any questions about this rulemaking or how it may impact your company.
1 ADMT can involve AI or machine learning, particularly when referring to a technology used to make decisions with limited human involvement. ADMT also includes “profiling” which refers to automated means of evaluating consumers based on personality, behavior or location.
