The California Privacy Protection Agency released proposed CCPA rules for a variety of topics in November, as well as announcing an investigative sweep for compliance with the Delete Act. Topics include the following, which we cover in this week’s California-focused blog posts:

Companies have until January 14, 2025 to comment on the proposed rules (for the first four topics above). The agency will then begin the formal rulemaking process, during which it can make significant changes to these drafts.

Putting It Into Practice: Companies who engage in activities that could be viewed as “automatic decisionmaking” under CCPA will want to review these new proposals. Similar review should be made of the risk assessment, audit and data broker obligations. We will look at each in turn in further posts this week.