The California Privacy Protection Agency (“CPPA”) Board will meet on Thursday, July 24 to discuss the California Consumer Privacy Act (“CCPA”) draft regulations on cybersecurity audits, risk assessments, automatic decisionmaking technology (“ADMT”), the CCPA’s application to insurance companies, and updates to the existing CCPA regulations.
Ahead of the meeting, the CPPA re-issued the draft regulations originally released on May 9, 2025. This re-release may suggest that the CPPA is not considering changes to the draft regulations or that it has chosen not to publish any changes that it is considering before Thursday’s discussion.
The CPPA began its formal rulemaking process for the draft regulations with a public comment period that opened on November 22, 2024, and was initially scheduled to conclude with a public hearing on January 14, 2025. To accommodate Californians affected by wildfires, the agency extended the comment period to February 19 and held a second public hearing on the same day. In response to public input, the CPPA released updated draft regulations ahead of its April 4 Board meeting, followed by another draft prior to its May 1 meeting. Eight days later, the agency issued revised draft regulations, initiating a second public comment period that closed on June 2, 2025.
The CPPA Board is now meeting to consider the potential adoption or modification of the draft regulations. Under statute, the agency is required to finalize the regulations by November 25, 2025. If the CPPA files the final regulations with the California Office of Administrative Law by August 31, 2025, they will take effect on October 1, 2025. If the filing occurs after August 31 but before the November 25 deadline, the regulations will instead take effect on January 1, 2026.
The CPPA Board is also scheduled to discuss possible action or modification to the draft Deletion Request and Opt-Out Platform (“DROP”) Requirements. The draft requirements implement California’s Delete Act, which mandates that by January 1, 2026, the CPPA establish an accessible deletion mechanism allowing consumers to submit a single request to delete their personal information from all registered data brokers.
The agenda and meeting records for the July 24 Board meeting can be found here.
Please contact Alston & Bird’s Privacy, Cyber & Data Strategy Team if you have any questions about CCPA, the Delete Act or their respective implementing regulations.
