On November 8, 2024, the California Privacy Protection Agency (CPPA) Board met to discuss
and vote on various proposed California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, automated decision-making technology (e.g., artificial intelligence (AI)), privacy risk assessments, and a wide assortment of other updates to existing CCPA regulations; data broker registration regulations; and the development of the Delete Request and Opt-Out Platform (DROP) required by the Delete Act. The CPPA Board also voted to approve settlements with two data brokers for allegedly failing to register and pay an annual fee as required by the Delete Act.

This recent meeting, as signaled during the July CPPA Board meeting, marks the start of formal rulemaking for the new proposed CCPA regulations, the CPPA’s adoption of the data broker registration regulations, and the finalization of key specifications ahead of the DROP launch.

Below is a summary of updates as discussed during the board meeting.

New Proposed CCPA Regulations

In a 4-1 vote, with Board Member Alastair Mactaggart voting no, the CPPA Board voted to advance draft CCPA regulations for automated decision-making technology (ADMT), privacy risk assessments, cybersecurity audits, and an assortment of other updates to existing CCPA regulations to formal rulemaking. At the meeting, Mr. Mactaggart reiterated his objections to the ADMT and risk assessment regulations from the July CPPA Board meeting, namely that: 1) risk assessments should focus on the (high risk) activity, not the technology; 2) significant decisions should be more clearly defined; 3) the term “access to” in significant decisions should be removed; 4) essential goods and services should be clarified to avoid unnecessary assessments; and 5) the CPPA Board should provide a comprehensive list of acceptable assessments from other jurisdictions to reduce duplication and compliance costs. Beyond this vote, there have been no other meaningful changes made to the proposed regulations since the July draft, which we covered in detail in our August Data Advisor article. 

In the coming months, the CPPA will be accepting public comment on the draft regulations as part of the formal rulemaking process. Based on the timelines of prior rulemakings, we expect the CCPA regulations to be published for public comment in early December 2024 and for the comment period to run through at least the end of January or early February 2025 (note that CPPA Board Chair Jennifer Urban requested a longer than usual comment period due to the intervening winter holidays).

Data Broker Registration Regulations

In a 5-0 vote, the board voted to adopt the CPPA’s proposed Delete Act regulations regarding data broker registration requirements. The regulations aim to bring more clarity to provisions of the Delete Act, which requires data brokers to register with the state of California, among other obligations, to promote transparency.

Notably, the new regulations significantly expand the scope of which businesses are considered data brokers by asserting in the regulations’ definition of “direct relationship” that, “[a] business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.” During the rulemaking process, a number of entities (including Wilson Sonsini Goodrich & Rosati) filed comments stating that this assertion impermissibly expanded the scope of the regulations beyond the plain language of the statute and exceeded the CPPA’s rulemaking authority. Nevertheless, during the board meeting, and as noted in the Final Statement of Reasons (FSOR), staff was dismissive of these arguments and took the position that, because the term  “direct relationship” is left undefined in the statute, the CPPA was left with broad discretion to define it as necessary to effectuate the law.

The CPPA will now file the data broker registration regulations with California’s Office of Administrative Law for final review and approval.

Development of Delete Request and Opt-Out Platform

During the board meeting, CPPA staff presented updates on the development and implementation of the Delete Request and Opt-out Platform (DROP). The DROP is a system that will allow California consumers to submit requests to delete their personal information held by all registered data brokers and opt out of the sale or sharing of their personal information via a single, accessible, platform as mandated by the Delete Act.

California consumers will be able to access the DROP on January 1, 2026, and starting August 1, 2026, data brokers will be required to access the DROP via an API every 45 days to receive consumers’ requests. Ahead of the DROP’s launch, the CPPA will be finalizing procurement, vendor selection, DROP regulations, systems testing, and public education campaigns in support of the new platform. To help cover the cost of implementing and operating the DROP, the CCPA Board voted unanimously to increase the 2025 data broker registration fee from $400 to $6,600, and expressed little concern that data brokers would be able to absorb the 1,550 percent fee increase.

Recent CPPA Settlements with Data Brokers

During a closed session of the meeting, the CPPA Board voted unanimously to approve settlements with two data brokers, Growbots, Inc. and UpLead LLC, for allegedly failing to register as data brokers and pay an annual fee as required by the Delete Act. The Delete Act imposes fines of $200 per day for failing to register by the yearly January 31 deadline, fines which, in part, go towards funding development of the DROP. In the wake of the CPPA Enforcement Division’s investigative sweep of data broker registration compliance:

• Growbots will pay $35,400 to resolve the Enforcement Division’s claims that the company failed to register between February 1 and July 26, 2024, and
• UpLead will pay $34,400 to resolve the Enforcement Division’s claims that the company failed to register between February 1 and July 21, 2024.

In addition to the fines, both companies agreed to injunctive terms, including agreeing to pay the Enforcement Division’s attorney fees and costs resulting from any noncompliance.

Next Steps

The CPPA concluded the board meeting by identifying top priorities for the future, including processes for authorized agents, employee data regulation, rulemaking related to financial incentives, and creating model notices and disclosures for insurance and risk assessments.

Businesses that are subject to the CCPA should pay close attention to the forthcoming CCPA regulations and consider submitting comments to the CPPA when the formal rulemaking process begins soon. Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA compliance efforts, or preparing a comment regarding the CCPA regulations, please contact Eddie Holman, Maneesha Mithal, Tracy Shapiro, or any member of the firm's data, privacy, and cybersecurity practice.