During the California Privacy Protection Agency’s (CPPA) meeting on November 8, 2024, it voted to proceed with formal rulemaking regarding artificial intelligence (AI) and cybersecurity audits. The CPPA’s rulemaking related to AI runs parallel to the California Civil Rights Department’s push for its regulations related to AI.

The CPPA’s proposed regulations include details related to:

  • Automated Decision-Making Technology (ADMT): the specifics related to a consumer’s right to access and opt-out of a business’s use of ADMT; requirements that businesses must disclose their use of ADMT and provide meaningful information about the logic involved, as well as the significance and potential consequences of such processing for the consumer.
  • Cybersecurity Audits: requirements related to annual cybersecurity audits to confirm compliance with the California Consumer Privacy Act (CCPA) and other consumer privacy regulations, including the scope, methodology, and reporting requirements.
  • Risk Assessments: requirements for risk assessments to identify privacy risks related to data processing activities.
  • Regulation of Insurance Companies: clarifies when the CCPA applies to insurance companies.

The proposed regulations will be available for public comment for 45 days. The CPPA will also conduct public hearings for additional feedback and discuss potential updates to the proposed regulations. The updated regulations are expected to become effective by mid-2025.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.