At a recent public meeting, California privacy officials advanced several initiatives that could significantly impact businesses, especially employers. The California Privacy Protection Agency (“CPPA”) has initiated formal rulemaking on Automated Decision-Making Technology (“ADMT”), such as resume-screening tools, facial recognition, and AI systems. The proposed regulations would require businesses to provide a pre-use notice about ADMT, allow consumers to opt out (with certain exceptions), and give them access to information on how ADMT is used. Employers and businesses utilizing AI tools must evaluate whether these rules apply and plan for potential carve-outs, particularly in employment contexts.
In addition to ADMT regulations, the CPPA is finalizing new data broker registration requirements. The updated regulations clarify that businesses selling consumer data without a direct relationship with the consumer—defined as an intentional interaction within the past three years—must register as data brokers. This includes companies using website tracking technology that collect data indirectly. The CPPA also raised the registration fee for data brokers to fund the Data Request Opt-Out Platform (“DROP”), set to launch in 2026, and established ongoing compliance requirements, such as annual registration and independent audits every three years.
Looking forward, the CPPA is prioritizing other regulatory areas, such as employment data, financial incentives, and insurance, which will be revisited at the agency’s May 2025 meeting. CPPA Executive Director Ashkan Soltani will step down in 2025, but the agency expects continuity in its policies. Businesses must take several steps to prepare, including identifying ADMTs in use, considering submitting public comments during the rulemaking process, assessing whether they qualify as data brokers, and reviewing website tracking technologies for compliance with the new regulations.
To ensure compliance with these new measures, contact us at info@mnklawyers.com.