On July 24, 2025, the California Privacy Protection Agency (“CPPA”) Board voted to adopt draft regulations under the California Consumer Privacy Act (“CCPA”) concerning cybersecurity audits, risk assessments, automated decisionmaking technologies, and the CCPA’s application to insurance companies. The approved regulations also include certain updates to the existing CCPA regulations.
The CPPA will now submit the draft regulations in a rulemaking package to the Office of Administrative Law (“OAL”). OAL will have thirty working days to review the package to ensure compliance with California’s Administrative Procedure Act and OAL’s regulations. If OAL approves the rulemaking package, it will file the regulations with California’s secretary of state.
The regulations will take effect on October 1, 2025, if OAL files them with the secretary of state by August 31. The next effective date, if OAL files after this date, is January 1, 2026.
The CPPA Board also is considering draft Deletion Request and Opt-Out Platform (“DROP”) Requirements to implement the Delete Act. The Board voted to advance the draft DROP rules to a second public comment period to be initiated by the CPPA upon formal notice.
We will continue to monitor CCPA and Delete Act rulemaking. Please contact Alston & Bird’s Privacy, Cyber & Data Strategy Team if you have any questions.
