ARTICLE
22 April 2025

CPPA Signals Significant Revisions Ahead

PC
Perkins Coie LLP

Contributor

Perkins Coie LLP logo

Perkins Coie is a premier international law firm with over a century of experience, dedicated to addressing the legal and business challenges of tomorrow. Renowned for its deep industry knowledge and client-centric approach, the firm has consistently partnered with trailblazing organizations, from aviation pioneers to artificial intelligence innovators. With 21 offices across the United States, Asia, and Europe, and a global network of partner firms, Perkins Coie provides seamless support to clients wherever they operate.

The firm's vision is to be the trusted advisor to the world’s most innovative companies, delivering strategic, high-value solutions critical to their success. Guided by a one-firm culture, Perkins Coie emphasizes excellence, collaboration, inclusion, innovation, and creativity. The firm is committed to building diverse teams, promoting equal access to justice, and upholding the rule of law, reflecting its core values and enduring dedication to clients, communities, and colleagues.

Explore Firm Details
Going into the Friday, April 4, 2025, meeting, the CPPA seemed poised to move forward far-reaching privacy regulations on RAs, cybersecurity audits, and ADMT.
United States Privacy
Meredith Halama,James G. Snell,Rohan Andresen
+1 Authors

Key Takeaways

Going into the Friday, April 4, 2025, meeting, the CPPA seemed poised to move forward far-reaching privacy regulations on RAs, cybersecurity audits, and ADMT. Instead, the CPPA board spent considerable time discussing how best to revise and substantially pare back the proposed rules, ultimately sending the staff back with a long to-do list of tasks to complete before the next board meeting.

Below, we summarize key updates coming out of the meeting that provide some insight into the potential shape of future regulations and a potential timeline.

Six Key Areas Targeted for Modification

The April meeting focused on a series of alternatives proposed by staff in six areas of the latest draft regulations:

  1. Definition of ADMT
  2. Definition of "significant decision"
  3. "Behavioral advertising" threshold
  4. "Work or educational profiling" and "public profiling" threshold
  5. "Training" thresholds
  6. RA submissions to the CPPA

Although the board did not reach a consensus on how to address each of these issues, the discussion made clear that each is likely to change considerably.

1. Redefining ADMT

The board debated whether to halt the ADMT rulemaking process altogether but ultimately agreed to continue forward with a more tailored approach. Although the board did not agree on a specific, narrower definition, the board tasked the staff with narrowing the scope of the ADMT that would be covered by the regulations, indicating that they would prefer a definition that more closely aligns with Colorado's automated decision-making rules.

2. Narrowing "Significant Decision"

One of the key uses of ADMT that triggers obligations under the draft regulations is ADMT used to make "significant decisions." The initial proposed definition of this term was quite broad but will likely be significantly narrowed.

As presented by the staff, the current definition of "significant decision" is "a decision ... that results in access to, or the provision or denial of any of the following:

  • Financial or lending services
  • Housing
  • Insurance
  • Education enrollment or opportunity: admission, acceptance into programs, educational credentials, suspension, and expulsion
  • Criminal justice (e.g., posting of bail bonds)
  • Employment or independent contracting opportunities or compensation: hiring, allocation or assignment of work or compensation, promotion, demotion, suspension, and termination
  • Healthcare services
  • Essential goods or services (e.g., groceries, medicine, hygiene products, or fuel)."

Board members expressed multiple concerns that this definition is overly expansive. For example, Board Member Alastair Mactaggart argued that the phrase "access to" could unintentionally capture routine technologies like map applications that direct users to emergency rooms or a bank. Board Member Drew Liebert similarly raised concerns that the phrase "allocation or assignment of work" could encapsulate technologies like systems that assign food orders to the nearest delivery driver based on location. Board Chairperson Jennifer Urban reiterated that the primary concern the regulations should seek to address is preserving civil rights, not simply trying to avoid "things that are creepy."

To narrow this definition, the board discussed potential alternatives, including replacing "access to" with narrower language, like "selection of a consumer for," or removing the phrase altogether. Additionally, the board discussed eliminating several decision types entirely, including references to "criminal justice," "insurance," and "essential goods and services."

Eventually, the board directed staff to take this definition back and provide additional use cases of activities that would and would not constitute a "significant decision."

3. Pulling Back on Behavioral Advertising

The board reflected a consensus on removing one of the most controversial elements of the draft regulations—the inclusion of the use of ADMT for "behavioral advertising" purposes. Businesses engaged in behavioral advertising would not need to comply with ADMT or RA obligations but would still need to comply with other California Consumer Privacy Act (CCPA) obligations applicable to selling or sharing data.

4. Revisiting Profiling Thresholds

The board signaled a desire to scale back obligations related to "work or educational profiling" and "public profiling." However, the board indicated that after considering public comments submitted by the February 19 deadline, it did not have enough information yet to make a decision on how to best revise these provisions. Instead, the board asked staff to return with real-world scenarios to help inform the board, indicating that some tailoring—not total removal—is likely.

5. Striking Artificial Intelligence (AI) From the "Training" Threshold

Under the draft regulations, one of the triggers for an RA includes instances where a business would process personal information to train ADMT or AI for certain purposes. The board raised many concerns about this section. For example, Board Member Mactaggart criticized the current proposed regulations because "it's like saying 'if you use this certain technology [like AI], that's [inherently] risky'" even if an entity is not engaged in risky privacy activity. Board Member Jeffrey Worthe echoed this concern, arguing that the current regulations are overly expansive since compliance obligations are assigned when "something is merely capable" of engaging in risky conduct and not limited to instances where organizations are actually engaging in risky activities.

In an effort to streamline RA triggers, the board agreed to eliminate all references to AI in determining whether an entity must perform an RA based on training practices. Additionally, the board instructed the staff to modify the requirements so that they apply solely to businesses that are currently using or intend to use ADMT for particular purposes, not when the ADMT is merely capable of being used for those purposes.

6. Reworking Risk Assessment Submissions

Rather than requiring full submissions of RAs annually to the CPPA, the staff proposed that businesses could instead submit a higher-level annual summary that excludes certain information and only includes the following:

  • Business's name and contact information
  • Time period covered by the submission
  • Number of RAs the business conducted or updated during the time period covered by the submission, in total and by processing-activity threshold
  • Which categories of personal information were subject to RAs
  • Attestation that the business completed the RA, provided by the highest-ranking executive responsible for, and with knowledge of, the business's RAs
  • Signature/certification under penalty of perjury that the information provided is true and correct, including the business title of signatory and date of signature

Businesses would still need to provide a full RA upon request by the CPPA or the California attorney general. The board agreed to this proposal and even went several steps further, directing the staff to compare whether RAs conducted in accordance with other legal regimes—specifically, Colorado's laws and the General Data Protection Regulation (GDPR)—would satisfy California's proposed RA requirements. The staff will return to the next meeting with a new proposal and more information.

Hints at Legal Challenges

Board Member Mactaggart expressed strong resistance to advancing the current draft regulations, articulating concerns that doing so would likely be met with legal opposition based on constitutional concerns. Citing public comments alleging that the board is overstepping its authority, Board Member Mactaggart requested that staff draft a memorandum addressing legal risks here, although the board expressed confidentiality and privilege concerns about the creation of such a document.

What's Next?

Acknowledging the significant delay in finalizing these regulations, the staff stated that it will likely bring modified regulations back to the board at its next scheduled meeting in May. This meeting would trigger a new public comment period of at least 15 days, with some discussion of extending it to 30 days.

As for the broader timeline, the CPPA anticipates holding at least one additional board meeting in August or September, with the goal of submitting a final rulemaking package to the Office of Administrative Law by November 2025.

One thing is clear: This rulemaking process remains in flux. We encourage companies to remain engaged, review proposed changes as they emerge, and continue preparing for eventual compliance obligations—even as the scope and shape of those obligations evolve. Perkins Coie has been involved in rulemaking since the CCPA was passed and will continue to assist clients seeking practical changes to the draft regulations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Meredith Halama
Meredith Halama
Photo of James G. Snell
James G. Snell
Photo of Peter Hegel
Peter Hegel
Photo of Rohan Andresen
Rohan Andresen
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More