Category Archives: California Consumer Privacy Act (CCPA)

CPPA Adopts Long Awaited Rulemaking Package

by Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen

Left to right: Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen (photos courtesy of Debevoise & Plimpton LLP)

The California Privacy Protection Agency (the “CPPA”) Board met on July 24, 2025, to decide whether to adopt its comprehensive rulemaking package covering cybersecurity audits, automated decision-making technology, and other adjustments to its existing regulations (collectively, the “Draft Regulations”). We have written about these topics in December 2024, February 2025, and May 2025 respectively. Ultimately, after its initial 45-day comment period and additional revisions, the Board decided to finalize the text of the rulemaking package (the “Regulations”).

Continue reading

CPPA Proposed Rulemaking Package Part 1 – Cybersecurity Audits

by Avi Gesser, Matt Kelly, Johanna N. Skrzypczyk, H. Jacqueline Brehmer, Ned Terrace, Mengyi Xu, and Amer Mneimneh

Photos of the authors

Top: Avi Gesser, Matt Kelly, and Johanna N. Skrzypczyk,. Bottom: H. Jacqueline Brehmer, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

Key Takeaways

  • On November 22, 2024, the California Privacy Protection Agency (CPPA) launched a formal public comment period on its draft regulations addressing annual cybersecurity audits and other privacy obligations under the California Consumer Privacy Act (CCPA).
  • These proposed rules aim to establish robust standards for thorough and independent cybersecurity audits, delineating both procedural and substantive requirements for businesses processing personal information.
  • In this update, we provide an overview of the new cybersecurity audit provisions, including key thresholds for applicability, detailed audit expectations, and the evolving regulatory landscape shaping cybersecurity compliance.

Continue reading

California’s Legislative Push on AI: A Wave of New Obligations and Prohibitions

by Beth George, Janet Kim, Sean Quinn, Madeline Cimino, and Christine Chong

Photos of authors

From left to right: Beth George, Janet Kim, Sean Quinn, Madeline Cimino, and Christine Chong (Photos courtesy of Freshfields Bruckhaus Deringer LLP)

California Governor Gavin Newsom recently signed into law a wave of legislation – totaling 19 laws – addressing the opportunities and risks of AI and placing California at the forefront of AI regulation in the United States. From election integrity to performer rights and healthcare transparency, the state has enacted measures aimed at managing potential negative impacts of the AI boom. At the same time, Governor Newsom vetoed SB 1047, the most comprehensive bill on his desk, signaling his interest in balancing the need for regulation to promote the safe deployment of AI with an interest in fostering growth in this important new sector of the California tech economy.

Continue reading

Does California’s Delete Act Have the “DROP” on Data Brokers?: Updates and Insights from the Recent Stakeholder Session

 by Christine E. Lyon, Christine Chong, Jackson Myers, and Ortal Isaac

Photos of the authors

From left to right: Christine E. Lyon, Christine Chong and Jackson Myers. (Photos courtesy of Freshfields Bruckhaus Deringer LLP)

The California Delete Act will make it easier for California consumers to request deletion of their personal information by so-called “data brokers,” a term that is much broader than companies may expect (see our prior blog post here). In particular, the Delete Act provides for a universal data deletion mechanism—known as the Data Broker Delete Requests and Opt-Out Platform, or “DROP”—that will allow any California consumer to make a single request for the deletion of their personal information by certain, or all, registered data brokers. In turn, by August 2026, data brokers will be required to regularly monitor, process, and honor deletion requests submitted through the DROP.

While the DROP’s policy objectives are fairly straightforward, it is less clear how the DROP will work in practice. For example, what measures will be taken to verify the identity of the consumer making the request, to ensure that the requesting party is the consumer they claim to be? What measures will be taken to verify that a person claiming to act as an authorized agent for a consumer actually has the right to request deletion of that consumer’s personal information? Unauthorized deletion of personal information may result in inconvenience or even loss or harm to individuals, which raises the stakes for the California Privacy Protection Agency (CPPA) as the agency responsible for building the DROP.

Continue reading

CPPA’s Regulatory Enforcement Restored: It’s Time to Get Compliant

 by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

For businesses subject to California Consumer Privacy Act (CCPA), privacy compliance just became urgent. A California appellate court agreed on February 9, 2024 with the California Privacy Protection Agency (CPPA) that there is no statutory requirement for a one-year gap between approval of privacy regulations and enforcement of those regulations. Overturning a stay of enforcement at the trial court level, the California appellate court held that CCPA regulations can be enforceable upon finalization. This means for businesses subject to the CCPA, there is no ramp-up period between new regulations being finalized and the agency enforcing those new regulations.

Continue reading

New Jersey Governor Signs Comprehensive Privacy Law

by Nancy Libin, David L. Rice, John D. Seiver, and Benjamin Robbins

Photos of the authors.

From left to right: Nancy Libin, David L. Rice, John D. Seiver, and Benjamin Robbins. (Photos courtesy of Davis Wright Tremaine LLP)

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill 322 (“the Act”), making New Jersey the fourteenth state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, and Delaware.  The Act will take effect on January 16, 2025.

Continue reading

Looking Back at Fall 2023 PCCE Events: Conference on Security, Privacy, and Consumer Protection

As we prepare for a full schedule of events in 2024, the NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is taking a moment to reflect on our busy Fall 2023 program. In this post, we review our November 17, 2023 full day conference on Security, Privacy, and Consumer Protection.

Photo of conference

(©Hollenshead: Courtesy of NYU Photo Bureau)

Continue reading

The Year That Was: Key Cybersecurity and Privacy Developments in 2023 and Issues for 2024

by John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog

From left to right: John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog. Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP.

At the beginning of the year, we predicted that the use of personal information and the protection of data in an evolving threat environment would be the focus of increased legislation, regulation, and regulatory enforcement. And 2023 delivered, with both threat actors and regulators presenting new challenges for technology and legal teams. At the same time, these teams are navigating how to harness the burgeoning potential of rapidly evolving artificial intelligence applications while mitigating associated security, legal, and related risks. Amidst all of the noise, we break down below ten key developments of 2023 that contributed to an increasingly complex legal and data security landscape and prompted business leaders to increase resources and attention to bolster their defenses and ensure compliance with their growing list of legal obligations. We predict a continued flurry of activity in 2024. Continue reading

California Privacy Protection Agency Publishes Draft Regulations on Automated Decisionmaking Technology

by Hunton Andrews Kurth LLP

photo of the author

On November 27, 2023, the California Privacy Protection Agency (“CPPA”) published its draft regulations on automated decisionmaking technology (“ADMT”). The regulations propose a broad definition for ADMT that includes “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.” ADMT also would include profiling, which would mean the “automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

Continue reading

Ctrl-Alt-Delete: California Legislature Passes Delete Act

by Nancy Libin and Patrick J. Austin

Photos of the authors

From left to right: Nancy Libin and Patrick J. Austin. (Photos courtesy of Davis Wright Tremaine LLP)

Legislation requires data brokers to register with the California Privacy Protection Agency and comply with a one-stop consumer deletion mechanism by 2026

The wave of data privacy legislation in California continues as lawmakers passed a bill that will impose new obligations on data brokers. Senate Bill 362, also known as the Delete Act, will amend California’s existing data broker law by subjecting all data brokers to mandatory registration with the California Privacy Protection Agency (CPPA), imposing new disclosure obligations, and requiring data brokers to comply with a “one-stop” mechanism to be established by the CPPA whereby California consumers can request data brokers to delete their personal data. This one-stop deletion mechanism would have to be established by January 1, 2026, and honored by data brokers starting August 1, 2026.

The Delete Act, awaiting signature by the Governor, will become law no later than October 14, 2023, unless signed earlier or vetoed. 

Below is an overview of notable provisions and regulatory requirements.

Continue reading