At IAPP GPS 2024, CPPA Executive Director Tom Kemp gave a clear message: the agency is shifting into high gear—expanding its regulatory scope and sharpening its enforcement focus.
🔍 Here’s what to watch:
🛠️ New rules coming:
The CPPA is preparing to finalize regulations on automated decision-making (ADMT), cybersecurity audits, and implementation of the Delete Act—which includes a new portal (DROP) allowing Californians to request deletion of their data from all registered data brokers.
⚖️ More enforcement, more clarity: The agency is increasing enforcement and intends to “telegraph” its priorities. Watch for guidance on core CCPA rights like access, deletion, and data minimization. The soft launch is over.
📊 Internal audit power: CPPA is hiring a chief auditor and investigators to operationalize annual cybersecurity audits—a CPRA requirement with EU-style accountability.
🤖 AI rules coming fast: Upcoming ADMT rules include opt-out rights for personal-information-based AI systems. While generative AI may see carve-outs, the CPPA is laser-focused on how personal data powers automated decision-making. As Kemp put it, the goal is “guardrails, not brakes.”
💰 And yes—it’ll be expensive: Governor Newsom’s office has projected a $3.5B cost in year one alone to implement new automation rules. But for many businesses, non-compliance will cost more.
✅ What it means for your privacy program:
- Get involved in the rulemaking process this summer
- Budget and plan for audit-readiness
- Monitor ADMT definitions and opt-out requirements
- Prepare for a more assertive enforcement landscape
California isn’t slowing down. Are you keeping up?
