U.S. Privacy and Data Protection | Insights | CCPA Regulations | Q1 2025 (State Law)

For any business collecting or processing personal information, it is crucial to stay informed about the evolving regulatory landscape. Many businesses reviewed their practices when the California Consumer Protection Act (CCPA) was first passed, but there are now a number of new requirements from various state privacy laws and new proposed CCPA regulations that require attention.

CCPA Regulations

The draft CCPA regulations, which follow years as well as public comments, would (when final) impose significant requirements on businesses meeting certain thresholds. In particular, the draft includes mandates for “automated decision-making technology” (ADMT, which may include artificial intelligence (AI)), risk assessments, and independent cybersecurity audits.

In other words, businesses should review and update their practices to ensure compliance where applicable, especially those that:

• engage in data “sales” (e.g., marketing cookies and data brokering)
• collect or process “sensitive” personal information (e.g., specific geolocation, government identifiers, race, biometrics, etc.)
• use ADMT or AI to make significant decisions or profile consumers (including for targeted ads)
• have significant revenue, data on a large volume of individuals, or earn money through data selling/sharing.

Note that many other states and countries also have new and emerging legislation in this area.

Automated Decision-Making Technology (ADMT)

ADMT is technology that makes decisions, or that a person relies upon to make decisions. This includes profiling to evaluate consumers using automated means to analyze different factors (e.g., personality, interests, location). ADMT can also include AI. Examples include:

• Technology that places consumers into groups to target ads

• Resume-screening tools used to make decisions about hiring

• Facial-recognition technology to verify the identity of consumers entering a location

In particular, new requirements would apply where ADMT is used for the following:

• Making a “significant decision” (e.g., financial services, insurance, housing, employment, healthcare services, or essential goods or services)

• “Extensive profiling,” which includes analyzing consumers’ personality, interests, behavior, or location in certain areas or to target ads (i.e., profiling for behavioral ads)

Specifically, businesses covered under the CCPA and using ADMT in these ways must provide:

• A pre-use notice about why ADMT is used, how it will work, and opt-out rights

• An easy way for consumers to opt-out (unless an exception applies)

• An easy way to access data and certain information in response to requests

Risk Assessments

Businesses would also have new requirements to conduct risk assessments if they:

• “Sell” or “share” personal information (which includes marketing/third-party cookies/tools)

• Collect, use, disclose, retain, or process “sensitive” personal information

• Use ADMT for a significant purpose or extensive profiling (see above)

• Use personal information to train ADMT or AI that could be used for certain purposes:

• To identify people (e.g., facial-recognition technology)

• For physical or biological identification or profiling

• To make significant decisions

• To generate “deepfakes”

• To operate generative models

Risk assessments would need to do the following:

• Outline why the business needs to do any of the activities

• Identify the types of personal data the business would collect, use, disclose, or retain

• Outline how the business would do the activity (e.g., number of consumers affected, what the business would tell them about their personal information, who else is involved, what technology would be used, and how any ADMT would be used to make decisions)

• The benefits and consequences to consumers and any protections put in place (e.g., encryption, policies to ensure ADMT would not discriminate and would be accurate)

Businesses must ensure service providers and contractors were required to give relevant information, and they cannot start an activity if the risks outweighed the benefits.

Businesses would need to submit a certification about the assessment and an “abridged risk assessment” (i.e., a shorter version with certain information) to the California Privacy Protection Agency (CPPA), which has recently enlisted additional investigators and staff.

Cybersecurity Audits

Businesses that meet a certain revenue and data volume threshold would also be required to complete an independent cybersecurity audit and submit a certification to the CPPA.

This would require the following steps:

• Selection of the auditor

• Providing information to the auditor

• Presenting the audit results to responsible/senior individuals

• Submitting a certification of completion to the CPPA

• Ensuring service providers and contractors were required to give relevant information

The auditor would need to be qualified, unbiased, independent, and use professional auditing experience, and the audit itself would be required to include various information.

While businesses would have 24 months from the effective date to conduct the cybersecurity audit, the audit would look back on the last 12 months, meaning businesses will want to start considering cybersecurity audits early enough to remedy any gaps and take action if needed. This may also demonstrate reasonable data protection measures to prevent a data breach.

Conclusion

Data privacy and security laws are continuing to evolve and impose strict requirements and potential penalties. Businesses should conduct a thorough review of their data processing practices, particularly concerning ADMT, targeted ads, data selling, and sensitive information. Non-compliance may lead to litigation and reputational harm, among other things.

Kronenberger Rosenfeld, LLP regularly advises clients regarding advertising and privacy compliance. Contact our firm using our online case submission form here.