Businesses should start thinking now about complying with new data-protection regulations approved Thursday by the California Privacy Protection Agency (CPPA), privacy attorneys said immediately afterward in blogs and LinkedIn posts. While consumer privacy advocates slammed the rules as weak, one acknowledged they still give California a lead over other U.S. states.

The California Privacy Protection Agency will soon take 15 days of comments on revised draft rules for implementing a data-deletion mechanism under the California Delete Act, the five-person CPPA board decided unanimously during a partially virtual meeting Thursday. The agency expects to extensively test the system to work out any kinks before data brokers start accessing it in August 2026, said General Counsel Philip Laird.

The Senate should revisit legislation to protect consumers’ health data privacy outside the scope of the Health Insurance Portability and Accountability Act (HIPAA), Sens. Bill Cassidy, R-La., and Jacky Rosen, D-Nev., told us in recent interviews (see 2507090048).

Recent settlements show the vulnerability of companies that hire privacy vendors and think they're in compliance, Frankfurt Kurnit attorneys said during a webinar Thursday. In addition, they noted that states besides California are becoming more active in privacy litigation and enforcement.

The California Privacy Protection Agency approved rules on automated decision-making technology (ADMT) and other subjects at a partially virtual meeting Thursday. CPPA Board members voted 5-0 to clear the rulemaking package, which also covers risk assessments, cybersecurity audits, insurance and updates to California Consumer Privacy Act (CCPA) regulations.

A consumer advocacy group that sponsored the California Delete Act offered a mostly positive assessment of the California Privacy Protection Agency’s latest draft of rules for implementing a data deletion mechanism. Concerns linger that data brokers may try to shirk the requirements, said Emory Roane, Privacy Rights Clearinghouse associate director of policy, in an email to Privacy Daily. However, the CPPA’s new draft answers key questions about ensuring the Delete Request and Opt-Out Platform (DROP) will work effectively when it opens to consumers Jan. 1 and data brokers on Aug. 1, 2026.

With substantive data-protection provisions of the U.K. Data Use (and Access) Act 2025 (DUAA) beginning to apply near year's end, organizations should start monitoring new guidance from the Information Commissioner's Office (ICO), Robin Edwards, a member of the government's Department for Science, Innovation and Technology, said Wednesday during an IAPP webinar.

The Connecticut attorney general's office is shifting from focusing on transparency and facial requirements to more in-depth work, examining whether organizations' privacy mechanisms are working and in compliance, three assistant attorneys general said during an IAPP KnowledgeNet event Tuesday.

The White House on Wednesday released its AI Action Plan, directing federal agencies to potentially withhold discretionary funding from states with AI regulations that “hinder” innovation. California's privacy agency and legislators from two other states rebuked the proposal.

Privacy Daily is providing readers with the top stories from last week, in case you missed them. All articles can be found by searching the title or clicking on the hyperlinked reference number.