Overview
In advance of its April 4, 2025, board meeting, the California Privacy Protection Agency (CPPA) released a discussion draft of revisions to its proposed California Consumer Privacy Act (CCPA) regulations. These revisions pertain to cybersecurity audits, risk assessments, automated decision-making technology (ADMT), serving to update the existing CCPA proposed regulations. Our prior summaries addressed the broad reach of these proposed regulations.
The draft revisions, which follow a public comment period that saw significant activity, are fairly modest, with a few notable exceptions discussed below.
It remains unclear whether the CPPA will consider the proposed revisions significant enough to require another 45-day public comment period, or whether the CPPA will attempt to limit the next comment period to 15 days or even decline to allow a comment period at all. In short, the outcome of the April 4, 2025, board meeting could significantly impact whether the proposed CCPA regulations come into effect in Q2 or later this year. Regardless, the draft revisions demonstrate that the CPPA is moving full speed ahead with the proposed regulations, despite opposition from California businesses and even the California legislature.
For companies subject to the CCPA, this means it is time to begin preparing for the new regulations, which impose substantial new obligations.
In Depth
KEY REVISIONS
Definitions
The headline here is that, during their April board meeting, the CPPA will be considering a change to the definition of ADMT – a much-maligned definition in the proposed regulations. The CPPA staff has put forward three potential definitions, which are not yet reflected in the revisions:
Source: https://cppa.ca.gov/meetings/materials/20250404_item6_presentation.pdf
Related to the definition of ADMT, the CPPA will also consider the definition of “significant decision,” another definition that drew significant criticism for its breadth in the proposed regulations.
Another notable change is that, if the proposed revisions are accepted, sensitive data would include a consumer’s neural data. This is defined as information generated by measuring the activity of a consumer’s central or peripheral nervous system, which cannot be inferred from nonneural information. This mirrors the neural data protections that Colorado introduced in 2024.
Otherwise, the definitions in the proposed regulations remain largely the same as the November 22, 2024, version, with some modest tweaks. For example, physical or biological identifiers are now limited to characteristics that are used or can be used to identify a person.
Behavioral Advertising
One of the most scrutinized parts of the CPPA proposed regulations were the provisions that arguably would have extended opt-out rights to first-party digital advertising. That, obviously, would run counter to the statutory regime in the CCPA, which granted opt-out rights only for cross-context advertising (i.e., advertising based on information obtained about a user from other websites). At the April board meeting, the CPPA will consider removing “behavioral advertising” from the risk assessment and ADMT requirements.
Cybersecurity Audits
Rather than requiring businesses to conduct a cybersecurity audit within 24 months of the regulations’ effective date, the revised regulations would require businesses to perform audits by January 1, 2028, if their processing of personal information presents a significant risk to consumers’ security. If not, businesses will have until January 1, 2029.
Under the revisions, audit documents will have to be retained by both the business and the auditor for a minimum of five years after each audit’s completion. Significantly, the purpose of cybersecurity audits under the revisions would no longer be to assess the effectiveness of each businesses various components, but instead to document that effectiveness. Another proposed revision is that if relying on other audits to satisfy their obligations under the CCPA, businesses would no longer need to explain how those other audits, assessment, or evaluations meet the requirements set forth by the CPPA.
Privacy Risk Assessments
A relief to most businesses is that the proposed revisions would no longer require businesses to “immediately” update a risk assessment whenever there is a material change relating to the processing activities. Instead, businesses would have to update their risk assessments as soon as “feasibly” possible, but no later than 45 calendar days from the date of the material change.
ADMT
In addition to the potentially significant definitional and scope changes to ADMT described above, the draft revisions would reduce the kinds of evaluations that businesses would have to undertake when using ADMT. For example, the draft revisions strike the prior requirements that a business: (1) identify the source of information, (2) explain how information is useful to certain tasks or, (3) identify how errors in the data would be measured and limited.
During the April board meeting, the CPPA will also discuss potential changes to the “training” threshold for ADMT assessments, as well as profiling rules when ADMT is used for work or educational purposes.
Virtual Reality and Smart Devices
The proposed revisions would permit businesses offering virtual reality or smart devices to notify consumers “at the time” of a consumer encounter, rather than when a consumer engages with a particular device.
Consumer Rights and Protections
The draft revisions would no longer require businesses to inform consumers that the consumer could file a complaint with the agency and the attorney general and provide links to the complaint forms on their respective websites. Additionally, the requirement that a business annotate data that a consumer disputes the accuracy of has been removed.
WHAT COMES NEXT?
The CCPA board will continue to discuss these and any other revisions to the proposed regulations at an April 4, 2025, board meeting. At the meeting, it is possible that the CPPA advances the revisions, in which case we anticipate one more round of public comments – either 45 or 15 days. Thereafter, we anticipate that the CPPA will seek to finalize the proposed regulations, meaning that they will come into effect later this year. That is why now is the time for businesses subject to the CCPA to begin planning for the new regulatory requirements.
If you are interested in commenting on the proposed regulations or have any questions, please contact your regular McDermott lawyer or one of the authors of this article.