The California Privacy Protection Agency will conduct an investigative sweep of data broker registration compliance under the state’s Delete Act, the CPPA said Wednesday. The law requires data brokers to register with the CPPA and pay an annual fee. Starting in 2026, data brokers must honor consumer requests to delete all their personal information.
The FCC will coordinate with the California Privacy Protection Agency (CPPA) on privacy efforts, the federal agency said Tuesday. The FCC’s privacy and data protection task force signed a memorandum of understanding with the CPPA, which is charged with rulemaking and enforcement related to California privacy laws, including the California Consumer Privacy Act. Under the pact, the two agencies will “share close and common legal interests in working cooperatively to investigate and, where appropriate, prosecute or otherwise take enforcement action in relation to privacy, data protection, or cybersecurity issues.” FCC Chairwoman Jessica Rosenworcel said, “Coordinated state and federal partnerships like this are essential to our privacy work.” CPPA Executive Director Ashkan Soltani said the partnership will “help increase trust and security in the digital marketplace.” CPPA Enforcement Head Michael Macko added, “collaboration is key to vigorous enforcement.” Also Tuesday, the CPPA released an agenda for its Nov. 8 board meeting. The agency may vote to advance draft rules, including on automated decision-making technology, risk assessments, and cybersecurity audits, to a formal rulemaking, it said. The board also has plans for considering possible changes to data broker registration requirements.
California Gov. Gavin Newsom (D) vetoed a privacy bill the same day that he signed a measure aimed at protecting children on social media websites. On Monday, the Computer & Communications Industry Association (CCIA) applauded Newsom’s veto of a privacy bill on Friday that would have required global opt-outs in web browsers and mobile operating systems. But Consumer Reports slammed the decision to kill the bill that was sought by the California Privacy Protection Agency (CPPA). Meanwhile, CCIA slammed his signing of legislation meant to reign in algorithms on social platforms.
The California legislature will send state bills on smartphones in schools, privacy and social media to Gov. Gavin Newsom (D). On Wednesday, the Assembly concurred with Senate changes to AB-3216, which would require schools adopt limits or bans on student use of smartphones; AB-3048, which would require web browsers to opt-out from the sale of and sharing data on all websites; AB-1824, which would require a business acquiring another company to follow an acquired customer’s privacy directions under the California Consumer Privacy Act; and AB-1282, which orders a study on mental health risks of social media for children. The Senate approved the bills Tuesday (see 2408280033). In addition, the Assembly voted 48-16 for a measure (SB-1047) allowing the attorney general to pursue civil penalties against large AI developers if they cause “severe harm” to residents. On Thursday, the Senate voted 29-9 to concur with the Assembly and send the AI bill to the governor. SpaceX and Tesla founder Elon Musk said California should “probably pass” the bill that Sen. Scott Wiener (D) proposed (see 2408270047). Meanwhile on Wednesday, the Senate voted 25-10 to pass AB-1826, which would update California's 2006 video franchise law, known as the Digital Infrastructure and Video Competition Act (DIVCA). The bill would increase fines for service-quality problems and seeks increased participation from the public and its advocates in the franchise renewal process. And senators voted 33-0 to pass AB-1949, which would set stricter limits on sharing children’s personal data under the CCPA. The Senate-passed bills will go back to the Assembly to concur with Senate amendments. On Thursday, California Privacy Protection Agency Executive Director Ashkan Soltani applauded passage of the bill requiring opt-out preference signals, which, he said, will make it "significantly easier for Californians to exercise their opt–out rights online." The Computer & Communications Industry Association opposed the AI bill in a statement Thursday. The measure's goals "appear well-intentioned, but poorly informed and ill-executed," said CCIA State Policy Director Khara Boender. "It would disrupt the development of the U.S. AI ecosystem by imposing untenable liability as U.S. companies compete with foreign companies."
The California Privacy Protection Agency sought feedback on proposed data broker registration rules, the CPPA said Friday. Comments are due Aug. 20. The CPPA will also hold a virtual hearing that day at 1 p.m. PDT. California’s 2023 Delete Act authorized the agency to make registration rules. “The proposed regulations address common questions and obstacles that surfaced for data brokers in the initial registration period,” including about registration fees, statutory definitions and requirements for registration, registry updates and website disclosures, the CPPA said.
It appears House Republican leadership isn’t willing to bring the House Commerce Committee’s bipartisan privacy bill to the floor because it lacks the necessary votes to pass, members and sources close to discussions told us Wednesday.
California and France privacy regulators will collaborate under a declaration the California Privacy Protection Agency announced Tuesday. CPPA Executive Director Ashkan Soltani and Marie-Laure Denis, the Commission Nationale de l'Informatique et des Libertes (CNIL) chair, signed the pact in Paris. “We’re excited to collaborate with the CNIL and pave the way for information sharing on areas of mutual interest,” Soltani said in a CPPA news release. Denis said, “We are looking forward to working together on common research projects, to exchanging good practices or to sharing experiences. Data circulation on a global scale requires such an approach to go beyond the national and European framework.”
A state court needn’t set a deadline for the California Privacy Protection Agency (CPPA) to make rules on cybersecurity audits, risk assessments and automated decision-making technology, with enforcement “still distant,” the agency said Wednesday. The California Superior Court of Sacramento asked May 3 if it should set a “date certain” for those rules after the California Chamber of Commerce’s lawsuit against the agency returned to the court. The court scheduled a June 21 hearing on the question. In February, California’s 3rd District Court of Appeal reversed the court’s June decision that granted a CalChamber petition and stayed any CPPA rules for 12 months after they become final. CalChamber petitioned for review at the California Supreme Court (see 2402210031), but that court declined to take the case on April 24. As a result, the only remaining issue for the Superior Court to decide is whether to set a deadline for the upcoming CPPA rules. In its Wednesday brief, the privacy agency said it started drafting remaining rules at issue in the case and will finalize them "once it has determined that it has received sufficient feedback from stakeholders and obtained necessary approval from state control agencies. In the meantime, it will not enforce the law in the specific areas still subject to regulation. Petitioner is entitled to nothing more.” It would be “improper” for the court to set a deadline because the Administrative Procedure Act (APA) “rulemaking process involves a substantial exercise of judgment and discretion over the timeline of the process itself,” the agency said in case 34-2023-80004106-CU-WM-GDS. “Petitioner's interests are already protected by enforcement delays and the APA-mandated procedures for stakeholder input.” The agency already took more feedback than the APA requires in a pre-rulemaking phase and will soon seek more input when it opens a formal rulemaking process, added the agency. In another brief, CalChamber pointed out that the agency was supposed to adopt final rules by July 1, 2022. “Petitioner continues to be concerned about the Agency’s timeline for fulfilling its statutory obligations with respect to the three outstanding rulemakings.” Given the coming rules’ significance, CalChamber "remains invested in ensuring the Agency does not attempt to adopt the regulations on a timeline that does not allow sufficient time for stakeholder review and participation, public comments, and meaningful consideration of public input,” said the business group. That said, CalChamber noted that only the agency "can fully address the anticipated timing for the adoption of the outstanding regulations.”
California Assembly members supported a proposed ban on digital discrimination the same day that state senators backed a proposal that would remove a free internet requirement in the state’s public housing broadband grant program. Bills on universal opt-out and social media also cleared their originating chambers Wednesday. The Assembly voted 43-10 to pass AB-2239, which would codify in California law the FCC’s definition of digital discrimination and allow state and local enforcers to seek injunctive relief (see 2404230039). On the privacy front, Assembly members voted 53-7 to pass AB-3048, which would require web browsers to include an option to opt out of selling and sharing data on all websites. The California Privacy Protection Agency supports that bill (see 2403130048). Also, the Assembly voted 46-0 for AB-2481, which would create a mechanism for people who report threatening content on social media platforms. In the other chamber, senators voted 37-0 for SB-1383 to remove restrictions included in the California Advanced Services Fund (CASF) public housing account that require ISPs to provide free internet before receiving grants. The cable industry supports the bill because it claims that the current restriction deters grant applications (see 2404020049).
The number of states with privacy laws reached 18 after Maryland Gov. Wes Moore (D) signed SB-541/HB-567 on Thursday. Vermont and Minnesota could soon join the ranks. While not first, Maryland “sets the new standard” for state privacy laws and “raises the bar” for Congress, said Caitriona Fitzgerald, Electronic Privacy Information Center (EPIC) deputy director, in an interview. Meanwhile, in California, the first state with a privacy law, board members of the California Privacy Protection Agency (CPPA) slammed the preemptive current draft of a privacy bill from Congress.