California Starts 2025 with More Regulatory Action

5 min

The California Privacy Protection Agency (CPPA) is starting the year by implementing new data broker regulations, which took effect in late December, and continuing to move toward the completion of new rules for automated decision making that could reshape many data practices, including digital advertising for companies of all type.

The new data broker regulations are now in place and in effect for the registration period that runs through January 31. For additional analysis, background, and context on the data broker regulations now in effect, please read our prior summary of the proposed data broker regulations. Companies of all types should assess their practices and consider whether they may now be swept into coverage and need to register with the state. The CPPA is monitoring for failures to register and recently levied fines against two companies it alleged had failed to register.

Beyond expanding the scope of its data broker registry, the CPPA is also moving forward with rulemaking to implement the California Consumer Privacy Act (CCPA). These proposed new rules would include those related to automated decision-making technologies (ADMT) and new opt-out requirements for the use of those tools for first-party advertising practices, a new frontier beyond the typical opt-outs required in state law for "targeted advertising." Below are updates on this early action in California.

Data Broker Updates

While the CPPA's new data broker rules would typically have gone into effect on April 1, 2025 because of the timing of their approval by the California Office of Administrative Law (OAL), OAL approved the CPPA's request for an exception to the standard procedure, and the rules became effective in December. In requesting the exception, the CPPA stated that "[i]f the regulations become effective based on the regular quarterly schedule, these regulations would become effective on April 1, 2025, after the 2025 registration period closes, thereby delaying the important protections for consumers and their personal information."

The final regulation broadens the definition of "data broker" to include any business that sells information it did not collect directly from consumers with which it has a "direct" relationship. Consequently, businesses traditionally not qualifying as data brokers might be classified as such if they "sell" information about their customers they obtained from third parties. "Sell" is defined in broadly in California, including providing data in return for advertising services in the eyes of the California Attorney General's Office. The CPPA stated that this change is meant to capture businesses that have direct relationships with consumers but which obtain data from third parties about those same consumers and sell that information. For more information on this and other updates made to the data broker regulations, please refer to the relevant section of our summary of the proposed rule.

Businesses that are data brokers (under the old or new definition) are required to register and undertake additional compliance steps along the following timeline:

By January 31, 2025, data brokers (new and prior registrants) must register with the CCPA. With two weeks left in the registration window, data brokers must complete a registration form and remit the new annual fee of $6,600. The CPPA's instructions for how to register can be found here.

By July 1, 2025, data brokers must collect and report certain metrics on their website's privacy policy and include a link to this information in the privacy policy. Among the information required as part of the disclosure is:

  • The number of consumer requests described below that a data broker received, complied with in whole or in part, and denied during the previous calendar year (2024):
    • Requests to delete personal information
    • Requests to know or access the personal information the data broker was collecting
    • Requests to know what personal information the data broker was selling or sharing and to whom
    • Requests to opt out of sale or sharing of personal information and
    • Requests to limit the data broker's use and disclosure of sensitive personal information
  • The median and the mean number of days within which a data broker substantively responded to the above requests in the previous calendar year

By August 1, 2026, data brokers are required to respond to requests received via the data deletion mechanism that the CPPA is required to build as part of the DELETE Act.

Continued ADMT Rulemaking

The CPPA continued its regulatory efforts by holding a public hearing on January 14, 2025 regarding its proposal for CCPA regulations related to cyber and risk assessments, ADMT, and insurance regulations. These prosed updates include language that could create a general opt-out of some forms of first-party advertising activity, going beyond the CCPA's opt-out of sale and sharing for cross-context behavioral advertising. The CPPA would define "behavioral advertising" to include targeting advertising to a consumer based on personal information about the consumer's activities "within the business's own distinctly-branded websites, applications, or services." The rules would also require that businesses provide consumers with the ability to opt out of the use of ADMT for profiling a consumer for behavioral advertising because the CPPA would define that practice as a form of "extensive profiling."

Because the CPPA would define ADMT to include the use of technology to process personal information that, in part, "substantially facilitates human decision making" the opt-out could impact various forms of first-party advertising that would have previously been out of the scope of the CCPA's opt-out provisions.

Because of the devastating wildfires currently affecting California, the CPPA has extended the public comment period for this rulemaking. The new deadline for public comments is February 19, 2025, when the Agency will also hold an additional public hearing.

What should you do?

1. Determine if registration is required: With January 31 rapidly approaching, companies that may now qualify as a data broker in California should determine if registration is required and start that process soon, including determining an individual to serve as a confidential point of contact for the CPPA.

2. Data brokers should start tracking necessary metrics: If you have been, or are now going to be, a registered data broker in California, you can start to track the necessary metrics, which differ slightly from what is required for CCPA compliance.

About Venable

Venable's Privacy and Data Security Practice Group has extensive experience counseling clients on obligations as data brokers or those using data broker services. Please feel free to reach out to us if you would like to learn more about federal or state privacy legislation, applicability to your organization, or what you can do to assess your compliance posture with respect to new laws or regulations.