CPPA Revises Risk-Assessments Proposal After 9th Circuit Ruling

Much attention is focused on the CPPA's moves to reduce the volume of rules it originally proposed for ADMT and behavioral advertising (see 2505010048 and 2504040043), noted Friel, who also blogged about the changes May 9. However, the lawyer said a big change in the May 9 draft, as compared to the prior April 30 version, involves risk assessment disclosures.

Friel said the changes seem to respond to the 9th Circuit U.S. Court of Appeals striking down the impact assessment requirements of California’s AADC law as compelled speech in violation of the First Amendment (see 2408160015 and 2503140063). CPPA Board Member Alastair Mactaggart previously raised the impact of the 9th Circuit case as a concern, noted the lawyer.

When the appeals court rejected those requirements in the AADC case, it indicated “this does not necessarily mean that risk assessments under CCPA would be unconstitutional if narrowly structured,” said Friel. So what the CPPA did in the latest draft is "quite clever,” he added: The agency now says that a business' report must “include everything except the risk-benefit analysis and the judgment calls. And so, you’ve got to do it, but it remains privileged and private.” That’s “consistent with the First Amendment jurisprudence, which says you can require commercial actors to disclose facts, but you can't require them to disclose a judgment, decision or an opinion.”

The new language could still be challenged “because it’s still compelled speech,” said Friel. However, the courts would have to consider if what's being compelled are “purely factual statements that are necessary for the public interest.” For example, the government is allowed to require companies to put ingredients and calorie counts on food packaging.

Although CPPA Board Chair Jennifer Urban raised concerns at the May 1 meeting that staff may have gone too far paring proposed ADMT rules, the CPPA didn’t pull back on its April 30 cuts in the May 9 draft, said Friel. “But that’s all an open issue,” he said. “We can still end up somewhere in the middle. For instance, the definition of significant decision is now more narrow than [in] other states, and you can see commenters saying, 'Let's try as much as possible to have a consistent national approach.'”

Several other privacy attorneys also blogged recently about their key takeaways from the May 9 draft.

“While the CPPA has pulled back from many of the most ambitious -- and onerous -- parts of the proposed regulations, it is clear that the CPPA is moving to finalize these narrowed set of regulations by November 2025," Mintz privacy attorney David Saunders blogged Tuesday. "So now is the time for companies subject to the CCPA to consider any final comments to the proposed regulations and begin planning for their implementation.”

Saunders highlighted possible substantive changes to CCPA regulations, alongside new rules on ADMT and other areas. Under the latest draft, businesses would have to ensure consumers may withdraw consent for processing “at any time,” he said. Also, links to the company’s privacy policy will have to appear on “any internet webpage where personal information is collected,” not just the homepage. Under other proposed changes, companies may not require more steps to opt out than to opt in, consumers may request personal information collected beyond 12 months, and individuals don’t have to resubmit data subject requests when they made initial requests through agents, noted the Mintz lawyer.

The privacy agency must finalize the draft rules by Nov. 25, noted Robinson+Cole privacy attorney Kathryn Rattigan in a Thursday blog post about the draft rules. If that happens by Aug. 31, the changes will take effect Oct. 1; if it's later, they will become effective Jan. 1, she noted.