Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
California: CPPA adopts regulations on data broker registration and votes to advance ADMT rulemaking package
This story has been updated - please see the most recent update
On November 8, 2024, the California Privacy Protection Agency (CPPA) Board announced that it voted to adopt the regulations on Data Broker Registration and that it voted to advance the proposed regulations for insurance, cybersecurity audits, risk assessments, and automated decision-making technologies (ADMT) into formal rulemaking.
Data Broker Registration Regulation
According to the CPPA, the new Data Broker Registration Regulation includes provisions to:
- clarify registration requirements;
- provide definitions for terms such as 'direct relationship,' 'minor,' and 'reproductive healthcare;'
- require data brokers to disclose information about exempted data collection practices; and
- clarify procedures for registration changes.
Rulemaking for Insurance, Cybersecurity Audits, Risk Assessments, and ADMT
In the proposed rulemaking package, the CPPA aims to:
- update existing California Consumer Privacy Act of 2018 (CCPA) regulations;
- clarify when insurance companies must comply with the CCPA;
- implement requirements for certain businesses to complete annual cybersecurity audits;
- implement requirements for certain businesses to conduct risk assessments; and
- establish consumers' rights to access and opt out of a business's use of ADMT.
Next steps for the Rulemaking for Insurance, Cybersecurity Audits, Risk Assessments, and ADMT
The CPPA clarified that the public will have the opportunity to provide written and oral comments to the CPPA on the proposed rulemaking package. After comments have been received, the CPPA will also have additional opportunities to discuss and potentially update the proposed rulemaking package.
You can read the press release here, the Data Broker Registration Regulation here, and the proposed rulemaking package here.
CPPA requests comments on proposed CCPA Regulations on Insurance, Cybersecurity Audits, Risk Assessments, and ADMT
On November 22, 2024, the CPPA requested public comments on the CCPA Regulations on Cyber Risk, ADMT, and Insurance. Public comments may be submitted until January 14, 2025.
You can read the press release here, the Notice of Proposed Rulemaking here, and the Text of Proposed Rulemaking here.