Written by: Haim Ravia, Dotan Hammer
The California Privacy Protection Agency (CPPA) recently issued draft regulations regarding data deletion requirements for data brokers and cybersecurity audit requirements for companies engaged in processing activities that pose an elevated cybersecurity risk.
The proposed regulations on an Accessible Delete Mechanism seek to establish a Delete Request and Opt-out Platform (DROP) to allow consumers to file a single request that their personal information be deleted from all databases controlled by all registered data brokers. The CPPA was tasked with creating and operating this mechanism under California’s 2023 Delete Act.
The proposed regulations require that data brokers create and maintain a DROP account, access it at least once every 45 days, and comply with cyber-security practices when using it, such as reporting unauthorized use. Upon accessing DROP, data brokers can download a “deletion list”. Data brokers will then be required to delete all copies of personal information mentioned in the list and to direct their service providers and contractors to do the same. The DROP regulations are available for public comment until June 10, 2025.
The CPPA also proposed amendments to the California Consumer Privacy Act (CCPA) Regulations, adding new requirements for businesses whose data processing activities present significant risks to the security of consumers’ personal information. The amended regulations would require these businesses to complete annual cybersecurity audits and prepare privacy risk assessment reports. The reports must include detailed descriptions of data practices, potential benefits and harms to consumers, and any mitigation measures put in place.
The proposed regulations also expand consumer rights related to automated decision-making. Consumers would have the right to receive notice when a significant automated decision is made regarding them, such as those affecting employment, housing, or essential services. Consumers may also appeal the decisions to a qualified human. The proposed CCPA Regulations are available for public comment until June 2, 2025.
Click here to read the proposed DROP regulation.
Click here to read the proposed amended CCPA Regulations.
