Posts

Showing posts with the label CPPA

Countdown to Data Privacy Day 2026 - What's On the Horizon: 2026 Data Privacy Trends That Will Redefine Compliance

In 2026, organizations will face a markedly more complex privacy and cybersecurity landscape. Numerous individual states continue to expand substantive requirements, federal regulators are asserting broader enforcement authority and emerging technologies are reshaping compliance expectations. This alert previews the privacy compliance developments most likely to affect businesses in the coming year and outlines practical implications for compliance and risk management. 1. Expansion of State Privacy Laws and Accelerated Enforcement With the addition of Indiana, Kentucky and Rhode Island’s new statutes on Jan. 1, 2026, a total of 20 states have comprehensive consumer privacy laws in effect. Although these laws share many structural similarities, their divergent definitions, exemptions and rights create operational challenges for any organization handling data across multiple jurisdictions. Unsurprisingly, California remains the most demanding privacy jurisdiction. Its  newly effecti...

The CCPA and Automated Decision-Making Technologies (ADMT)

As artificial intelligence (AI), particularly generative AI, becomes increasingly woven into our professional and personal lives—from personalized travel itineraries to reviewing resumes to summarizing investigation notes and reports—questions about who or what controls our data and how it’s used are ever present. AI systems survive and thrive on information and that intersection of AI and privacy elevates the need for data protection. Recent  regulations  issued by the California Privacy Protection Agency (CPPA) under the California Consumer Privacy Act (CCPA) begin to erect those protections. Among its various provisions, the CCPA now specifically addresses automated decision-making technologies (ADMT), attempting to bring transparency and consumer rights to, among other things, push back on algorithms making significant decisions about them. As a starting point, it is important to define ADMT. Under the CCPA, it means any technology that processes personal information and ...

California Breaks New Ground With Record $1.35M Fine for Job Applicant Mistakes: 6-Step Action Plan for Employers

The California Privacy Protection Agency, the state’s main data privacy regulator, just announced its largest fine yet – a record-setting $1.35 million – against an employer that it found to have violated job applicant and consumer privacy rights . Today’s announcement marks the first-ever enforcement action involving job applicants, kicking off a new chapter when it comes to the way employers need to think about the California Consumer Privacy Act (CCPA). If you collect information from California job applicants, employees, or consumers, you will want to review our summary of this groundbreaking news and follow our six-step action plan. What Happened? The California Privacy Protection Agency (CPPA) launched its investigation against Tractor Supply, the nation’s largest rural lifestyle retailer, after it received a solitary complaint from a consumer in Placerville, CA. It is not publicly known whether this consumer was a job applicant, employee, website user, retail customer, or other...

California Finalizes Groundbreaking Regulations on AI, Risk Assessments, and Cybersecurity, Part II: What Businesses Need to Know

Image
  In July 2025, the California Privacy Protection Agency (CPPA) Board unanimously approved new regulations pursuant to the California Consumer Privacy Act (CCPA) that specifically address the use of automated decisionmaking technologies (ADMTs), requirements for completing risk assessments, and, for businesses processing large amounts of California resident data or engaging in the large-scale sale or sharing of data, mandatory annual cybersecurity audits. While these regulations have been in the drafting process since 2023, they reflect an ongoing trend in California and across the country in favor of heightened, proactive accountability mandates. Quick Hits The CPPA Board recently approved new cybersecurity audit regulations that, pending final approval by the California Office of Administrative Law (OAL), will apply to large CCPA-covered businesses and data brokers. The regulations include extensive independent audit requirements that will, at a minimum, necessitate businesses e...