The California Privacy Protection Agency (CPPA) Board has initiated a formal rulemaking process on a new regulatory package, moving forward with proposals for automated decision-making technology (ADMT) rules, cybersecurity audits, risk assessments, and insurance company compliance with the California Consumer Privacy Act (CCPA). This decision, reached after months of intense discussion, will provide an opportunity for public input and allow the board to incorporate feedback as it refines these proposed rules.

With this move, the CPPA will open a 45-day public comment period, extended to ensure comprehensive feedback. Should any substantive changes arise, a 15-day comment period will follow. CPPA staff have indicated that the board expects to review public feedback by February 2025.

Financial Impact: Divided Perspectives on Compliance Costs

A CPPA regulatory impact assessment estimates that compliance with the proposed rules could cost businesses up to $3.5 billion with potential job losses as companies adapt to the new requirements. Business groups have voiced strong concerns over these projected costs, particularly for smaller companies and sectors that rely on extensive data processing. 

Opponents also contend that the rules’ opt-out provisions for profiling and AI data usage could severely impact the advertising sector, potentially disrupting targeted advertising models central to many businesses' revenue streams.

Conversely, the CPPA contends that the financial impact would be most significant upfront, with lower ongoing costs in the long term. The agency asserts that compliance will ultimately benefit California consumers by enhancing privacy protections and reducing risks associated with ADMT, which could foster trust and contribute to a more secure, resilient economic environment. 

Leadership Transition Ahead

In addition to advancing the rulemaking process, CPPA Executive Director Ashkan Soltani announced his resignation effective January 2025. Appointed in 2021, Soltani has led the CPPA from its inception to a fully operational agency with a strong enforcement focus. His departure marks a new chapter for the agency as it continues to shape California’s privacy landscape and navigates the evolving relationship between privacy, technology, and regulation.