Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California: CPPA adopts regulations on data broker registration and votes to advance ADMT rulemaking package

This story has been updated - please see the most recent update

On November 8, 2024, the California Privacy Protection Agency (CPPA) Board announced that it voted to adopt the regulations on Data Broker Registration and that it voted to advance the proposed regulations for insurance, cybersecurity audits, risk assessments, and automated decision-making technologies (ADMT) into formal rulemaking.

Data Broker Registration Regulation

According to the CPPA, the new Data Broker Registration Regulation includes provisions to:

  • clarify registration requirements;
  • provide definitions for terms such as 'direct relationship,' 'minor,' and 'reproductive healthcare;'
  • require data brokers to disclose information about exempted data collection practices; and
  • clarify procedures for registration changes.

Rulemaking for Insurance, Cybersecurity Audits, Risk Assessments, and ADMT

In the proposed rulemaking package, the CPPA aims to:

  • update existing California Consumer Privacy Act of 2018 (CCPA) regulations;
  • clarify when insurance companies must comply with the CCPA;
  • implement requirements for certain businesses to complete annual cybersecurity audits;
  • implement requirements for certain businesses to conduct risk assessments; and
  • establish consumers' rights to access and opt out of a business's use of ADMT.

Next steps for the Rulemaking for Insurance, Cybersecurity Audits, Risk Assessments, and ADMT

The CPPA clarified that the public will have the opportunity to provide written and oral comments to the CPPA on the proposed rulemaking package. After comments have been received, the CPPA will also have additional opportunities to discuss and potentially update the proposed rulemaking package.

You can read the press release here, the Data Broker Registration Regulation here, and the proposed rulemaking package here.

Update: November 25, 2024

CPPA requests comments on proposed CCPA Regulations on Insurance, Cybersecurity Audits, Risk Assessments, and ADMT

On November 22, 2024, the CPPA requested public comments on the CCPA Regulations on Cyber Risk, ADMT, and Insurance. Public comments may be submitted until January 14, 2025.

You can read the press release here, the Notice of Proposed Rulemaking here, and the Text of Proposed Rulemaking here.