Desiree Sainthrope is a Legal expert with extensive experience drafting and analyzing trade agreements. She is a recognized authority in global compliance and possesses a broad range of interests within the legal field, including intellectual property and the evolving implications of technologies such as AI.
Could you briefly summarize the recent meeting held by the California Privacy Protection Agency (CPPA) Board on November 8?
The CPPA Board’s meeting on November 8 focused on advancing several proposed regulations to formal rulemaking. The main topics included regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). Additionally, the Board voted to finalize the Delete Act registration rules for data brokers and approved settlements with two data brokers. The votes for advancing these regulations were 4-1 in favor.
What regulations has the CPPA proposed regarding automated decision-making technology (ADMT)?
The proposed regulations aim to establish a consumer right to access and opt out of a business’s use of ADMT. This includes defining what constitutes ADMT and setting guidelines for businesses on how to implement consumer opt-out requests.
What changes are expected for consumer rights regarding ADMT?
Consumers will gain the ability to access information about how ADMT affects them and opt out of automated decision-making processes applied to their data. This gives consumers more control over their personal information.
What concerns were raised by Board Member Alastair Mactaggart regarding ADMT?
Board Member Alastair Mactaggart voiced concerns that the scope of what qualifies as ADMT might be too broad. He was worried that making ADMT a standalone trigger for conducting risk assessments could overwhelm the CPPA with paperwork and hinder effective enforcement.
What financial impact is anticipated from the proposed ADMT regulations according to the CPPA’s Standardized Regulatory Impact Assessment (SRIA)?
The SRIA estimates that the proposed ADMT regulations will impose $3.5 billion in direct costs on California businesses in the first year alone, with an additional $1.08 billion over the following ten years.
How might these regulations affect investment and job numbers in California?
The regulations are projected to have a $31 billion adverse impact on investment in California and could result in the loss of approximately 98,000 jobs in the state.
What steps will the public need to follow during the comment period for the proposed regulations?
The public comment period began on November 22 and will end on January 14, 2025. During this time, stakeholders and the general public can submit their feedback on the proposed regulations.
What are the finalized regulations under the Delete Act?
The finalized regulations require data brokers to register annually with the CPPA starting on January 1, 2025. Beginning August 1, 2026, data brokers must also fulfill deletion requests submitted by consumers through a centralized deletion mechanism.
What requirements will data brokers need to fulfill according to these regulations?
Data brokers will need to adhere to expanded definitions under the Delete Act, register annually, and comply with deletion requests submitted by consumers via the centralized mechanism.
How might the definition expansion affect businesses?
The expansion of definitions will likely increase the number of businesses subject to the law, including those that have direct consumer relationships but also sell personal information they did not collect directly from consumers.
Could you provide details on the recent settlements approved by the CPPA with two data brokers?
The CPPA approved settlements with Growbots and UpLead for failing to register and pay the required annual fee. Growbots will pay $35,400, and UpLead will pay $34,400. Both companies also agreed to injunctive relief, covering attorney fees and costs resulting from any noncompliance.
What were the allegations against Growbots and UpLead?
Both companies were alleged to have failed to register as data brokers and pay the annual fee required under the Delete Act. The settlements mark the first enforcement actions under this legislation.
What penalties were imposed on these companies?
Growbots and UpLead faced fines of $35,400 and $34,400, respectively, and agreed to additional injunctive relief measures.
Can you share why Executive Director Ashkan Soltani is stepping down?
While the reason for Ashkan Soltani’s departure wasn’t explicitly detailed, his tenure was marked by significant developments in the CPPA’s regulatory framework.
What contributions has Ashkan Soltani made to the CPPA during his tenure?
Ashkan Soltani has played a crucial role in advancing the CPPA’s regulatory agenda, including pushing forward key proposed regulations and overseeing the implementation of the Delete Act.
How has Perkins Coie’s Privacy & Security practice been involved in CCPA proposed rules?
Perkins Coie’s Privacy & Security practice has been actively helping clients respond to the CCPA proposed rules by providing expert advice and support during the public commenting process.
What role does Perkins Coie play in helping clients respond to these regulations?
They assist clients in understanding the implications of new regulations, preparing for compliance, and submitting informed comments during the rulemaking period.
How does Perkins Coie keep its readers informed about developments in privacy laws?
Perkins Coie regularly updates its clients and readers through publications, seminars, and consultations, ensuring they remain informed about the latest developments in privacy laws.
Do you have any advice for our readers?
Staying informed about regulatory developments and actively participating in public commenting periods can significantly influence the shaping of these regulations. Proactively preparing for compliance helps mitigate the potential negative impacts on your business.
