No Changes to Automated-Decisions Draft Before Calif. Privacy Board Meeting
The California Privacy Protection Agency won't make further significant changes to proposed rules in a controversial rulemaking on automated decision-making technology (ADMT) and other subjects, according to a draft released Tuesday. Meanwhile, in a proceeding on creating a data-deletion mechanism, the agency proposed several clarifications on data broker responsibilities. The CPPA posted those and other materials ahead of Thursday’s scheduled board meeting (see 2507110055).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
California’s ADMT rulemaking also covers risk assessments, cybersecurity audits, insurance and updates to California Consumer Privacy Act (CCPA) regulations. In comments last month at the agency, consumer and labor groups condemned May 9 revisions to those draft rules as conceding too much to industry interests (see 2506030017).
However, in the draft final statement of reasons on Tuesday, the CPPA said: “After a review of all comments submitted on the proposed regulations, the Agency determined that no further substantive changes would be made to the proposed regulations.” The CPPA posted a fresh copy of the regulations showing the May 9 changes and nothing new since then.
Also, the agency, in an economic impact statement, estimated the statewide compliance cost for the proposed rules would be $4.8 billion over 10 years. However, the CPPA also estimated statewide benefits would be $282 billion during the same period. The agency predicted the regulation would create 358,00 jobs by 2037, while eliminating 92,000 by 2028.
One quantifiable benefit would be “reduced risk of cybercrimes,” said the agency: Those benefits could be $1 billion in 2028, rising to $111 billion by 2037. “There are many benefits for businesses and the economy that cannot be quantified,” it added. “Consumers benefit from stronger privacy protections.”
The CPPA also posted its latest draft of rules required by the California Delete Act for establishing the Delete Request and Opt-Out Platform (DROP). An April 25 proposal on the deletion mechanism raised some tech industry concerns in comments last month (see 2506110033).
The agency released a grid explaining DROP rule changes proposed after the initial 45-day comment period. Among other things, the CPPA clarified that:
- Data brokers must provide all website addresses used for their services during DROP account creation and registration.
- Data brokers don’t have to pay both DROP registration and first-time access fees in the same calendar year.
- Data brokers should only “standardize consumer personal information for purposes of matching to consumer deletion lists and providing that information to service providers and contractors.”
- “Multiple identifiers must be individually hashed, combined into one identifier, and then hashed once more.”
- A data broker that initially lacks personal information of a consumer submitting a DROP request, but which later collects that information, “must check against their maintained deletion list(s) to identify whether a consumer has submitted a DROP request, and may not sell or share personal information of a consumer who has submitted a DROP request.”
- Data brokers are allowed to “forward suppression lists to service providers and contractors to facilitate consumer deletion requests.”
- If a data broker buys or collects personal information of a consumer for which it didn’t previously have a match, “the data broker must report that match and the updated status of the request in the next access session.”
- Companies have 45 days to notify the CPPA they no longer meet the definition of a data broker.
- The CPPA will verify consumer residency before sending a deletion request to data brokers, and authorized agents may only aid a consumer with deletion after residency is verified.
The agency plans to spend $4.8 million over two years on developing DROP, according to an administrative presentation planned for Thursday’s meeting. Additionally, the agency plans to spend $700,000 over two years to build out its enforcement infrastructure, according to the slide presentation. The agency said it spent more than $14 million overall in the 2024-25 fiscal year.
On the legislative front, another meeting presentation showed CPPA staff will recommend that the agency take positions on two more California bills: (1) neutral on AB-302, which is akin to New Jersey’s Daniel’s Law that would provide enhanced privacy protections for judges and elected officials; and (2) yes on AB-322, a location privacy bill. Both cleared the California Senate Judiciary Committee last week (see 2507170018).
CPPA staff raised concerns with AB-302. “Expanding the privacy protections of government officers is an important goal, especially in light of recent increased violence directed towards state officials,” said a proposed memo. “However, as currently drafted, the bill has substantial issues related to process, verification, and technical feasibility.”
First, the CPPA isn’t the appropriate entity to create and update a list of all elected state and local officials, the proposed memo said. “Second, the bill creates a conflict with provisions of the [California] Delete Act requiring that deletion requests are verifiable.” It’s unlikely that necessary technical and regulatory changes can be completed by the bill’s Aug. 1, 2026, deadline, it said.
However, staff recommends supporting the geolocation bill since it aims to strengthen “privacy protections for geolocation information, a particularly sensitive category of information,” said a proposed memo on AB-322. The CPPA Board previously voted to support an earlier version of the proposal when it was numbered AB-1355 (see 2505020034).