Proposed Regulations on CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Companies

On November 8, 2024, the California Privacy Protection Agency (Agency) Board voted to commence formal rulemaking on the following regulatory subjects: CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Companies. Specifically, the proposed regulations seek to (1) update existing CCPA regulations; (2) implement requirements for certain businesses to conduct risk assessments and complete annual cybersecurity audits; (3) implement consumers' rights to access and opt–out of businesses' use of ADMT; and (4) clarify when insurance companies must comply with the CCPA.

Notice Register Publication Date: November 22, 2024

Status of the Proposal: On May 9, 2025, the Agency noticed modifications to the text of the proposed regulations. The Public Comment Period for the proposed changes is open from May 9, 2025 – June 2, 2025. The comment period closes on June 2, 2025, at 5:00 p.m. Pacific Time.

Public comments may be submitted to the Agency electronically at [email protected], or by mail at the address included in the Notice of Modifications to Text of Proposed Regulations and Additional Documents Relied Upon. Please include “Public Comment on CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations” in the subject line of your comment.

Please note that all information provided in oral and written comments is subject to public disclosure.

Rulemaking Documents

May 9, 2025 – Public Notice of Modifications to Proposed Regulations

January 13, 2025 – Public Notice of Extension of Comment Period

Notice of Extension of Public Comment Period and Additional Hearing Date

November 22, 2024 – Public Notice of Rulemaking and Related Documents

Public Comments

Comments received during the November 22, 2024 – February 19, 2025 Comment Period are linked below.

Written Comments

Oral Comments

Transcript of comments received during February 19, 2025 Public Comment Hearing

Preliminary Rulemaking Activities

The California Privacy Protection Agency solicited preliminary written comments from the public via an Invitation for Preliminary Comments on Proposed Rulemaking on the following topics: Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking from February 10, 2023 through March 27, 2023. That period has now closed, and the public comments are available via the links below.

Preliminary Public Comments

Comments received during preliminary public comment period

Name	Organization	Comment #	Comment (ID, pages)
Megan Gray	GrayMatters Law and Policy	P1	PDF1 - 1-26
Nicole Day		P2	PDF1 - 27
Sidney Hoff	American Express	P3	PDF1 - 28-36
David Swetnam-Burland et al.	Brann & Isaacson	P4	PDF1 - 37-41
Ed Howard	University of San Diego School of Law Children's Advocacy Institute	P5	PDF1 - 42-265
Robert Healey	Formiti Data International UK	P6	PDF1 - 266
Ridhi Shetty	Center for Democracy & Technology	P7	PDF1 - 267-297
Stu Ingis et al.	Association of National Advertisers	P8	PDF1 - 298-303
Joanne Furtsch	TrustArc	P9	PDF1 - 304-311
Kate Goodloe	BSA \| The Software Alliance	P10	PDF1 - 312-334
Howard Fienberg et al.	Insights Association	P11	PDF1 - 335-338
Hicham Abdessamad	Hitachi Group	P12	PDF1 - 339-343
Stephen C. Dwyer	American Staffing Association	P13	PDF1 - 344-348
Alvaro Marañon	Computer & Communications Industry Association	P14	PDF1 - 349-370
Tabitha Edgens	Bank Policy Institute	P15	PDF1 - 371-384
Dylan Hoffman	TechNet	P16	PDF1 - 385-400
Odia Kagan	Fox Rothschild	P17	PDF1 - 401-408
Allison Adey et al.	Personal Insurance Federation of California et al.	P18	PDF1 - 409-415
Don Erickson	Security Industry Association	P19	PDF1 - 416-425
David Wendell Phillips		P20	PDF1 - 426-433
Dave O'Toole		P21	PDF1 - 434-437
Gerard Keegan et al.	CTIA - The Wireless Association	P22	PDF1 - 438-474
Melissa MacGregor	Securities Industry and Financial Markets Association	P23	PDF1 - 475-481
Tracy Chou	Block Party	P24	PDF1 - 482-486
Jenn Taylor Hodges et al.	Mozilla	P25	PDF1 - 487-493
Jeff Reed et al.	Proofpoint et al.	P26	PDF1 - 494-501
Douglas K. Johnson et al.	Consumer Technology Association	P27	PDF2 - 1-17
Craig Erickson		P28	PDF2 - 18-124
Paul Lekas	Software & Information Industry Association	P29	PDF2 - 125-132
Hilary M. Cain	Alliance for Automotive Innovation	P30	PDF2 - 133-136
Keir Lamont	Future of Privacy Forum	P31	PDF2 - 137-147
Laila Abdelaziz	Centre for Information Policy Leadership	P32	PDF2 - 148-172
Matt Schwartz et al.	Consumer Reports	P33	PDF2 - 173-193
Asian Industry Business to Business et al.		P34	PDF2 - 194-198
Lucy Chinkezian	Civil Justice Association of California	P35	PDF2 - 199-216
Maya McKenzie	Entertainment Software Association	P36	PDF2 - 217-230
Eric J. Ellman	Consumer Data Industry Association	P37	PDF2 - 231-237
Matthew Kownacki	American Financial Services Association	P38	PDF2 - 238-242
Electronic Privacy Information Center et al.		P39	PDF2 - 243-300
Drew Bagley et al.	CrowdStrike	P40	PDF2 - 301-309
Julian Cañete et al.	California Hispanic Chambers of Commerce et al.	P41	PDF2 - 310-314
Leigh Freund	Network Advertising Initiative	P42	PDF2 - 315-324
Sun Park	SAFE Credit Union	P43	PDF2 - 325-327
Danielle Coffey	News/Media Alliance	P44	PDF2 - 328-332
Denneile Ritter	American Property Casualty Insurance Association	P45	PDF2 - 333-338
Jarrell Cook	Workday	P46	PDF2 - 339-347
Justin Kloczko	Consumer Watchdog	P47	PDF2 - 348-352
Jennifer King	Stanford Institute for Human-Centered Artificial Intelligence	P48	PDF2 - 353-418
Rachel Michelin	California Retailers Association	P49	PDF2 - 419-431
Lindsey Tonsager et al.	California Chamber of Commerce	P50	PDF2 - 432-444
Jennifer King et al.	Stanford University Program in Public Policy	P51	PDF2 - 445-459
Jordan Crenshaw	U.S. Chamber of Commerce's Technology Engagement Center	P52	PDF2 - 460-473
Meghan G. Anderson	National Institute of Standards and Technology	P53	PDF2 - 474-505

Comments received after close of preliminary public comment period

Name	Organization	Comment #	Comment (ID, pages)
Anthony Stark	ZoomInfo	PL1	PDF3 - 1-3
Jill Szewczyk	Colorado Department of Law	PL2	PDF3 - 4-10
Martin Abrams et al.	Information Accountability Foundation	PL3	PDF3 - 11-18
R. Jason Cronk	Enterprivacy Consulting Group	PL4	PDF3 - 19-29
Leticia Garcia	California Grocers Association	PL5	PDF3 - 30-37
Joanne Furtsch	TrustArc	PL6	PDF3 - 38-48

Transcripts

Webcasts

Further Information

Information regarding the rulemaking process will be posted to https://cppa.ca.gov/regulations/. If you would like to receive notifications regarding rulemaking activities, please subscribe to the “Rulemaking Proceedings” email list at https://cppa.ca.gov/webapplications/apps/subscribe/. Please note that comments are public records and will be published on the Agency's website.