Businesses should start thinking now about complying with new data-protection regulations approved Thursday by the California Privacy Protection Agency (CPPA), privacy attorneys said immediately afterward in blogs and LinkedIn posts. While consumer privacy advocates slammed the rules as weak, one acknowledged they still give California a lead over other U.S. states.
The California Privacy Protection Agency will soon take 15 days of comments on revised draft rules for implementing a data-deletion mechanism under the California Delete Act, the five-person CPPA board decided unanimously during a partially virtual meeting Thursday. The agency expects to extensively test the system to work out any kinks before data brokers start accessing it in August 2026, said General Counsel Philip Laird.
The California Privacy Protection Agency approved rules on automated decision-making technology (ADMT) and other subjects at a partially virtual meeting Thursday. CPPA Board members voted 5-0 to clear the rulemaking package, which also covers risk assessments, cybersecurity audits, insurance and updates to California Consumer Privacy Act (CCPA) regulations.
A consumer advocacy group that sponsored the California Delete Act offered a mostly positive assessment of the California Privacy Protection Agency’s latest draft of rules for implementing a data deletion mechanism. Concerns linger that data brokers may try to shirk the requirements, said Emory Roane, Privacy Rights Clearinghouse associate director of policy, in an email to Privacy Daily. However, the CPPA’s new draft answers key questions about ensuring the Delete Request and Opt-Out Platform (DROP) will work effectively when it opens to consumers Jan. 1 and data brokers on Aug. 1, 2026.
The California Privacy Protection Agency won't make further significant changes to proposed rules in a controversial rulemaking on automated decision-making technology (ADMT) and other subjects, according to a draft released Tuesday. Meanwhile, in a proceeding on creating a data-deletion mechanism, the agency proposed several clarifications on data broker responsibilities. The CPPA posted those and other materials ahead of Thursday’s scheduled board meeting (see 2507110055).
A proposed change to the California Consumer Privacy Act (CCPA) about publicly available information hit a temporary roadblock Wednesday in the Assembly Privacy Committee. Sen. Aisha Wahab (D) said she planned to work with California businesses over the summer to refine SB-435, which failed to clear the committee but is still alive. “We are deeply committed [to] working with industry.”
Virginia’s reproductive health data privacy law could be amended next year in response to concerns from retailers, state Sen. Barbara Favola (D) said in an email to Privacy Daily Wednesday. “I expect to be making some changes to my data privacy law during the 2026 session.”
California Assemblymember Buffy Wicks (D) said her bill to require transmission of age-verification signals (AB-1043) “still is a very strong bill” after she accepted various proposed changes. At a Senate Judiciary Committee hearing Tuesday, Chair Thomas Umberg (D) foreshadowed more adjustments could come in the weeks ahead.
Republicans and business groups during two hearings Tuesday objected to California legislation seeking limits on surveillance pricing. They raised concerns with proposals regulating businesses’ price flexibility and providing a private right of action.
Colorado shouldn’t use upcoming kids’ privacy regulations as a “back door” to require age verification, retailers warned the state’s law department last week. In addition to warning against requiring verification through possible rules about a company’s “willful disregard” of a user being a minor, industry groups cautioned that any regulation of system design features mustn’t violate the First Amendment.