More Proposed Regulations from California: What Do These Mean for Your Business?

July 29, 2024
Privacy, Cyber & AI Decoded

What Issues Did the California Privacy Protection Agency Raise?

On July 16, 2024, the California Privacy Protection Agency (Agency) discussed proposed updates to the California Consumer Privacy Act (CCPA) regulations. These proposed updates involve:

Enforcement Priorities

As part of the July 16 meeting, the Agency discussed continued staff expansion and Agency enforcement priorities:

  1. failure to honor opt-out requests unless a consumer submits verification;
  2. businesses that share and sell personal information without an opt-out mechanism;
  3. businesses that use dark patterns to prevent consumers from exercising their rights; and
  4. violations of the CCPA and implementing regulations impacting vulnerable groups.

We recommend that businesses review their privacy practices immediately for compliance with these enforcement priorities.  

Insurance Regulations

Insurance companies that fall under the CCPA's definition of a business are now required to comply with the act regarding any personal information collected for purposes other than in connection with an insurance transaction.

For example, an insurance company that collects personal information from consumers visiting its website solely for advertising purposes (and not for an insurance product or service) must now comply with the CCPA’s requirements, such as providing an opt-out right for consumers for the sale or sharing of its data and an updated privacy policy/notice at collection.

This change will likely impact most insurance companies, many of which are not familiar with the CCPA’s requirements and obligations.

Cybersecurity Audits

Risk Assessments

Businesses that engage in processing activities deemed by the revised regulations as presenting "significant risks" to consumer privacy will now be required to conduct risk assessments.

These significant risks include selling or sharing personal information, processing sensitive data (with certain exceptions), and using artificial intelligence (AI) for higher-risk activities.

The risk assessment will assess:

Companies updating their risk assessment processes for AI may want to consider these Agency requirements for their 2025 planning.

Automated Decision-making Technology (ADMT) Regulations

The Agency’s ADMT regulations have a broad definition of artificial intelligence and ADMT technology, which includes scoring and profiling technologies. New consumer rights, such as pre-use notices and the option to opt out and access data in ADMT technology, would be required.

These regulations could be challenging for companies leveraging large language models (LLM) and untagged data. The Agency is still discussing these regulations.

What’s Next?