Back to homepage

California’s privacy agency adopts new data broker regulations

November 15, 2024

On November 8, the California Privacy Protection Agency (CPPA) Board voted to adopt new regulations concerning data broker registration requirements and to advance a proposed rulemaking package for insurance, cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and updates to existing regulations. The data broker regulations, which clarify provisions in the Delete Act, will be submitted to the Office of Administrative Law for review and approval, potentially becoming effective by January 1, 2025. According to the CPPA, these regulations would refine procedures for data brokers and increase public awareness, including clarifying registration requirements and defining terms.

The proposed rulemaking package will be subject to a 45-day formal public comment period. It includes updates to existing CPPA regulations, specifies compliance requirements for insurance companies, mandates annual cybersecurity audits and risk assessments for certain businesses, and establishes consumer rights regarding ADMT.