California Consumer Privacy Act

Keypoint: Last week, the California legislature returned from its summer recess and began moving forward with privacy and AI legislation prior to the August 31 session closing date.

We are currently tracking thirteen privacy and AI-related bills that previously crossed chambers prior to the legislative deadline. With the California legislature closing on August 31, we will be providing weekly updates on the progress of these bills.

Keypoint: The California legislature has many pending privacy and AI-related bills to consider before it closes on August 31.

The California legislature left for its summer recess on July 3 and will reconvene on August 5. Once it returns, the legislature will have twenty-six days to pass bills before it recesses for the year on August 31.

In the below article, we identify and briefly summarize the pending privacy and AI bills and where they stand in the legislative process. The bills cover a wide range of topics, including kid’s privacy, opt-out preference signals, neural data, and algorithmic discrimination. All together, we are tracking fourteen bills, one of which was signed into law on July 15. The remaining thirteen bills all passed through their chamber of origin prior to the May 24 deadline and are at various stages of consideration in the opposite chamber.

Keypoint: The settlement, which includes a $500,000 fine and injunctive relief, arises out of alleged violations of the CCPA’s children’s privacy provisions and COPPA.

On June 18, 2024, the California Attorney General announced it had reached a settlement with an online gaming company, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and federal Children’s Online Privacy Protection Act (COPPA) “by collecting and sharing children’s data without parental consent in their popular mobile app game ‘SpongeBob: Krusty Cook-Off.’” The Attorney General’s complaint and settlement were pursued in connection with the Los Angeles City Attorney’s office.

In the below article we provide a brief overview of the settlement.

Keypoint: In only its second public enforcement settlement, the California Attorney General announced a $375,000 fine along with injunctive relief.

On February 21, 2024, the California Attorney General announced that it had reached a settlement with a company, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA). This is only the second time the Attorney General’s office has publicly announced a settlement. In August 2022, the office announced a settlement over allegations that a company failed to disclose that it was selling consumers’ personal information and failed to process opt-out requests via user-enabled global privacy controls.

In announcing the enforcement action, Attorney General Bonta stated “I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”

In the below article we provide a brief overview of the settlement.

Keypoint: Based on the appellate court’s ruling, the new CCPA regulations are enforceable immediately instead of on March 29, 2024.

On February 9, 2024, a three-judge panel of the California Court of Appeals issued an order overruling a California trial court decision and holding that the new CCPA regulations approved by the Office of Administrative

Keypoint: The Agency proposed more revisions to the CCPA regulations for consideration at the December 8 board meeting.

On December 1, 2023, the California Privacy Protection Agency (Agency) published proposed revisions to the CCPA regulations as well as a chart explaining the proposed modifications. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft revisions are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

The Board now has six sets of draft regulations to discuss at its December 8 meeting: (1) cybersecurity audits, (2) automated decisionmaking technology, (3) risk assessments, (4) revisions to the CCPA regulations, (5) insurance, and (6) data broker registry fee.

The revisions to the CCPA regulations come even though the Agency cannot yet enforce its first set of revisions to the CCPA regulations. The Agency finalized those regulations on March 29, 2023, but a trial court delayed enforcement until March 29, 2024, finding that the CCPA requires a twelve-month delay in enforcement after finalization.

The below article provides a brief overview of some of the more notable proposed revisions.

Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing draft automated decisionmaking technology regulations although the Agency has yet to initiate the formal rulemaking process.

On November 27, 2023, the California Privacy Protection Agency (Agency) published draft automated decisionmaking technology regulations as well as revised draft risk assessment regulations. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft regulations are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

This article focuses on how the two draft regulations address automated decisionmaking technology (ADMT). The risk assessment regulations contain additional provisions that are not addressed herein. In addition, given that these are only draft regulations, this article only provides a high-level summary and some takeaways. It does not provide an exhaustive analysis of the draft regulations.

Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing revised draft cybersecurity audit regulations although the Agency has yet to initiate the formal rulemaking process.

In connection with its upcoming December 8 Board meeting, the California Privacy Protection Agency published revised draft cybersecurity audit regulations. In the below post, we provide background on the draft regulations and a brief summary of the notable changes.

Keypoint: Although they are only draft regulations and not part of the formal rulemaking process, the drafts demonstrate the Agency’s intent to create extensive obligations for businesses subject to these regulations.

In connection with its September 8, 2023 Board meeting, the California Privacy Protection Agency (“Agency”) published draft regulations on risk assessments and cybersecurity audits. The drafts were provided as meeting materials for a CPRA rules subcommittee update.

The drafts specifically state that they are intended “to facilitate Board discussion and public participation” and are “subject to change.” To that end, the drafts identify specific text for the Board to discuss and, in some instances, identify multiple options for Board consideration. The drafts also note that the Agency “has not yet started the formal rulemaking process for cybersecurity audits, risk assessments, or automated decisionmaking technology.”

Although these are only drafts, they nonetheless provide an initial insight into the Agency’s thought process for these new and significant rulemaking topics. In short, the drafts indicate the Agency’s intent to create extensive obligations for businesses subject to these regulations. In the below post, we provide a high-level summary and analysis of some of the more notable parts of the drafts.

On July 31, 2023, the California Privacy Protection Agency announced a review of data privacy practices by connected vehicle (CV) manufacturers and related CV technologies. According to the Agency, “[t]hese vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically