The CPPA Publishes Proposed Revisions to the CCPA Regulations

What happened?

The California Privacy Protection Agency (CPPA) held a board meeting on April 4, 2025, discussing updates to the proposed CCPA regulations. Businesses subject to the CCPA should start preparing for the new regulatory requirements.

Overview:

CPPA Board Meeting Updates:

• Automated Decisionmaking Technology (ADMT): The CPPA discussed changes to consumer rights to access and opt out of ADMT and proposed three new definitions. If accepted, sensitive data would include neural data. Draft revisions reduce business evaluation requirements, remove the need to identify information sources, explain task relevance, and measure data errors. Changes to ADMT training thresholds and profiling rules for work or educational purposes will also be discussed.
  
  • Behavioral Advertising: The CPPA may remove “behavioral advertising” from the risk assessment and ADMT requirements, initially proposed to extend opt-out rights to first-party digital advertising.
  • Virtual Reality and Smart Devices: Businesses can notify consumers “at the time” of an encounter with virtual reality or smart devices, rather than at the point of engagement.

• Risk Assessments: Businesses must conduct risk assessments to identify and mitigate privacy risks. Updates to these assessments must be made as soon as “feasibly” possible, but no later than 45 days after a material change.

• Cybersecurity Audits: Certain businesses will require annual cybersecurity audits. The deadline for these audits is extended to January 1, 2028, for businesses with significant risks and to January 1, 2029, for others. Audits will document effectiveness rather than assess it. Businesses using other audits to meet CCPA requirements no longer need to explain compliance.

• Insurance Companies: Clarifications on compliance requirements for insurance companies under the CCPA.

• Consumer Rights and Protections: Businesses no longer need to inform consumers about filing complaints with the agency or attorney general, or provide links to complaint forms. The requirement to annotate disputed data has also been removed.

Source References

• CPPA April 4 Meeting Materials
• The CPPA Publishes Proposed Revisions to the CCPA Regulations (VensureHR)

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.