Calif. Privacy Board Clears Contested Rules on ADMT, Risk Assessments and More

Also at the meeting, the CPPA Board authorized staff to support a location privacy bill (AB-322) and “support if amended” a separate measure (AB-302) to protect the private information of judges and public officials.

Earlier this week, CPPA staff said the agency wouldn't make further changes to draft regulations in the controversial rulemaking (see 2507220043). Thursday’s CPPA Board approval allows staff to submit the rulemaking package to the California Office of Administrative Law, which, in turn, will have 30 business days to decide if the rules may become final.

Chair Jennifer Urban supported the proposed regulations: “They are strong. They are reasonable. They are clear.” She pledged to monitor how well the regulations work and make needed changes in the future.

Board member Drew Liebert expects "all sides will still have a lot of unhappiness” with the rules, but the test can't be about making everyone happy, he said. “We were required to do our best and to keep improving these regulations, and we will do so.”

CPPA General Counsel Philip Laird said the agency will produce a document with summaries of and responses to all comments received. Many comments showed a “misunderstanding” of the regulations, he said. The agency can still refine rules later if needed, noted Laird.

About 20 members of the public gave in-person or virtual testimony on the ADMT rules for about an hour. For different reasons, industry officials, consumer advocates and workers' union reps voiced reservations about the proposed rules, tracking with comments they submitted to the agency last month (see 2506030017). The business groups tended to argue that changes made over the course of the proceeding improved some aspects of the rules, while the consumer and labor groups said those changes significantly weakened protections.

While the board considered what position to take on AB-302, a bill similar to Daniel’s Law in New Jersey, board member Brandi Nonnecke raised concerns that expediting deletion of public officials’ data could lead to a “slippery slope.” Nonnecke agreed with the “spirit” of the bill, but asked, “If we go down this path, shouldn’t we also be doing that for victims of domestic abuse? Or where does it end?”

Staff concerns relate to the logistical and technical feasibility of implementing the law, said Maureen Mahoney, CPPA deputy director of policy and legislation.

Other States Eye DROP

The board also planned Thursday to consider draft rules for implementing a data-deletion mechanism under the California Delete Act (see 2507230033). Discussion of the draft in Sacramento didn’t begin by our deadline. But earlier, in an update to the board, CPPA Executive Director Tom Kemp said the agency aims to make its upcoming Delete Request and Opt-Out Platform (DROP) a model that other states could adopt.

Urban said she often gets questions about whether other states could adapt DROP. She asked Kemp if she was correct to say that “we are building this so that other folks don't have to reinvent the wheel?"

Kemp agreed. At least 20 state legislators have expressed strong interest in developing an equivalent system, said the executive director: Once DROP is up and running, "we will be very interested in partnering with other jurisdictions to ensure that [this] type of privacy [capability extends] throughout the United States.”

Other CPPA members also praised the upcoming deletion mechanism, which is set to launch next year for consumers Jan. 1 and for data brokers on Aug. 1, 2026. “The notion that you can do a one-stop shop and get rid of all your data from data brokers is extraordinary,” said Alastair Mactaggart, a board member.

Liebert agreed: "The idea has been that companies get to use our personal data unless we tell them not to. That is the fundamental Faustian bargain that we never entered into as Californians or as Americans." Therefore, he said, "the promise of the Delete Act is extraordinary."

Earlier in the meeting, Kemp said the agency is engaged in enforcement and has “numerous” investigations working. This includes continuing the agency’s data broker registration enforcement sweep, he said. Also, the agency is collaborating with the California attorney general’s office and other states’ privacy regulators, he said. CPPA Enforcement Head Michael Macko will give a full update at the board’s next meeting, added Kemp. "We as an agency are grounded in addressing real-world privacy harms for Californians."

Urban said she’s “been very impressed with the [enforcement] team's work." She’s heard much discussion in the privacy legal community about CPPA actions, "which, in my view, is one of the great purposes of enforcement.” That is, “to provide guidance to all so that they understand how the agency is seen" and how "the law should be implemented."

However, Liebert raised resource issues. The agency is authorized to have five staff members for DROP, though just two positions are filled, reported CPPA staff. Liebert said that seems “misaligned” with the hundreds of thousands of employees that some large tech companies have. “We have a highly efficient team,” he said, but "that's not enough people” considering the immensity of the work.

Von Chitambira, CPPA deputy director of administration, agreed that additional resources are needed. Not only for the enforcement team, she said, but also for the agency’s legal and administration units. The agency is authorized to have 53 positions; it’s filled 43 permanent positions and four temporary roles and has one intern, she said. The agency plans to sign a lease for a permanent Sacramento office next month and move into it in August 2026, she added.