CPPA Releases Proposed Updates to CCPA Regulations and Unveils New Draft Privacy Assessment and ADM Rules

CPPA Releases Proposed Updates to CCPA Regulations and Unveils New Draft Privacy Assessment and ADM Rules

|

Overview


On February 23, 2024, the California Privacy Protection Agency (CPPA) released proposed updates to the California Consumer Privacy Act (CCPA) regulations and draft updates to the Risk Assessment and Automated Decisionmaking Technology (ADM) regulations. These drafts will be reviewed at the upcoming March 8, 2024, CPPA Board meeting. We previously wrote about earlier versions of these draft regulations, which will usher in significant operational changes for businesses. While the revisions to the ADM and Risk Assessment rules reveal notable improvements, the proposed drafts continue to present significant new obligations that businesses should begin preparing for immediately.

In Depth


AUTOMATED DECISIONMAKING TECHNOLOGY

The draft ADM regulations include several noteworthy updates as outlined in an accompanying PowerPoint that the CCPA released publicly. These include:

  • Revised definition of ADM: The draft regulations propose important updates to the definition of what constitutes ADM. As we detailed previously, the definition in the last iteration was so broad so as to include calculators or even spreadsheet formulas. In the current draft, the definition of ADM expressly excludes ordinary technologies, such as calculators and domain registrations, so long as they are not used in a manner that replaces human decision-making. Ambiguity remains, however, as to what happens if one of the excluded technologies is used to facilitate human decision-making.
  • Revised definition of significant decision: As was true under the last iteration of the proposed regulations, the use of ADM for the purpose of making a significant decision triggers the need to conduct an assessment. The definition of “significant decision” has been narrowed in the latest draft to clarify the types of decisions that are “significant.”
  • Revised definition of behavioral advertising: There is a new proposed definition of behavioral advertising which makes clear that the term excludes “nonpersonalized advertising, provided that the consumer’s personal information is not used to build a profile about the consumer…” This is welcome news for companies that seek to advertise based on basic demographic information (e.g., all men or women in a state).

While these definitional changes mark significant improvement, the notice and opt-out requirements of the prior drafts remain largely intact. Here, too, the draft regulations include a number of changes, including additional disclosures (e.g., no retaliation against customers who opt out) and additional detail around how the CPPA expects businesses to comply with the notice requirements of the draft ADM rules. The proposed regulations also make clear that certain exceptions to the opt-out right for ADM do not apply to the use of ADM for behavioral advertising based on data subject profiling.  This means the use of ADM for behavioral advertising may require opt-outs even where the advertising is based on first-party data.

PRIVACY RISK ASSESSMENTS 

As with the ADM draft regulations, the latest proposed regulations include helpful, and significant, revisions. In addition to several definitional changes, the draft regulations include a number of changes to the thresholds for conducting risk assessments. Risk assessments would now be triggered by the following uses of personal information:

  • Selling or sharing of information
  • Most instances of processing of sensitive information (now including information of a minor)
  • Using ADM for a significant decision or “extensive” profiling (a new term meaning work or educational profiling, public profiling or profiling for behavioral advertising)
  • Training ADM or artificial intelligence capable of certain actions, including significant decision-making and creation of deepfakes

One of the welcome revisions to the assessment draft regulations is greater clarity around what elements must appear in the assessment as opposed to those that may appear in an assessment. The prior draft regulation seemed to suggest that companies would have to consider and document a wide array of considerations that might have had no applicability to the particular use case. The new draft regulations address some of that by clarifying that certain elements of the assessment are not strictly required.

CCPA REGULATION CHANGES

The proposed changes to the existing CCPA regulations would expand consumer privacy rights while also adjusting certain financial thresholds of the CCPA, including the $25 million applicability threshold. Other changes include:

  • New monetary thresholds: If the proposed regulations come into effect, then retroactively effective January 1, 2023, the revenue threshold for a company qualifying as a business will increase from $25 million to of $27,975,000. In addition, monetary penalties will increase.
  • Expansion of the right to access: Businesses that maintain personal information for longer than 12 months must provide consumers with a method where they can request from businesses their personal information collected prior to the 12-month period preceding the date of the business’s request receipt.
  • Complaints with the CPPA or attorney general: Businesses must inform consumers that they can file complaints with the CPPA or the attorney general if they believe that their privacy rights have been violated and provide links to the compliant forms on their websites. This approach is aligned with other state consumer privacy laws, such as those in Colorado, Connecticut and Virginia.

WHAT’S NEXT?

Formal rulemaking has not yet begun, though we expect the regulations to be finalized in the coming months. Companies should take this opportunity to assess their current readiness against the proposed regulations and understand what additional steps need to be taken to become compliant.

If you have questions or need assistance with CCPA compliance or other state privacy laws, please contact any of the authors or your regular McDermott lawyer.