Buckle Up! CPPA Is Driving Privacy Regulation and Enforcement Forward

After a relatively slow start to 2025, the California Privacy Protection Agency (CPPA) is firing on all cylinders now.

In recent weeks, the CPPA (i) revised the proposed Delete Request and Opt-out Platform (DROP) regulations and opened a public comment period, (ii) announced a series of major enforcement cooperative agreements, and (iii) held a public CPPA Board meeting on May 1, where the CPPA unveiled a significantly revised proposed version of the draft regulations package on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). Perhaps most importantly, the CPPA laid out a projected timeline for finalizing the regulations with a strong sense of direction. 

Below, we highlight a few standout recent developments and summarize key updates coming out of the May meeting that hint at both the direction and timing of forthcoming regulations.

DROP Comment Period Opened

As we covered in a prior blog post, the CPPA Board recently voted to authorize CPPA staff to advance the DROP regulations to formal rulemaking. After making several requested revisions, the CPPA opened the 45-day public comment period on April 25. The CPPA invites feedback on the proposed DROP regulations, which aim to provide California residents with a streamlined method to request the deletion of their personal information held by registered data brokers through a single submission. The comment period will remain open through June 10, 2025, when a public hearing will be held in Sacramento. 

After the public comment period closes, the CPPA will ingest the comments and vote on whether to finalize the regulations or make additional revisions. The CPPA will likely address this in its scheduled July Board meeting. For more information on the proposed DROP regulations or how to submit comments, interested stakeholders can visit the CPPA web page or the Notice of Proposed Rulemaking.

2025 Timeline: Could This Be “The Year”?

After a prolonged period of ambiguity surrounding the fate of the ADMT, risk assessment, and cyber audit regulations, the Board at the May 1 CPPA meeting offered some clarity, setting sights on finalizing the rules by November 2025. For immediate next steps, on Friday, May 9, the CPPA opened a short comment period on the regulations package that will end on June 2. The CPPA will hold its scheduled meeting on Thursday, July 24. It is possible the Board could finalize the regulations package at that July meeting, at which point the regulations could be finalized and effective as early as September or October of 2025. If, however, at the July meeting, the Board elects to have another short comment period, the Board will strive to have regulations finalized by November. The CPPA expressed a keen desire to finalize regulations this year, and it therefore appears unlikely that the timing will be extended beyond November 2025.

As Promised, CPPA Substantially Pares Back Regulations

As we covered in our April blog post, the CPPA Board directed staff to revise the draft regulations to substantially scale back the proposed rules. The staff released a new draft on April 30, which reflects substantial revisions to each of the components of the regulations package. Below, we touch on some of the key updates for each section.

ADMT Regulations

The latest draft regulations substantially revise the approach to regulating ADMT. Most significantly, the scope of ADMT systems subject to regulation has been significantly narrowed. Where the prior version referred to technologies that “substantially facilitate” human decisionmaking, the revised draft limits coverage to those that “substantially replace” human decisionmaking, making clear that if humans are involved in the decision in particular ways, the decisionmaking falls outside of the rules. The ADMT regulations would also be limited to “significant” decisions (defined similarly to the GDPR’s notion of “legal or similarly significant effects”), with application to “behavioral advertising” based on first-party data, workplace and educational profiling, profiling based on public observation, and the use of personal information to train systems that are capable of being used for certain purposes all now out of scope. Finally, the definition of “artificial intelligence,” and every reference thereto, has been removed entirely from the text, responding to concerns about the CPPA’s overreach in a burgeoning area. 

Risk Assessment Regulations

The CPPA also rolled back its risk assessment regulations in several important ways. First, the CPPA removed the requirement introduced in April to submit “abridged” risk assessments to the agency. Next, the CPPA significantly narrowed the types of processing activities that require risk assessments. The CPPA’s rationale for these removals was to “simplify implementation at this time” and reduce burdens on businesses. While it is possible that the CPPA could consider reinserting these concepts at a future time, it appears at this time that public comments influenced the CPPA in this area.

Finally, to provide greater clarity and predictability, the new draft sets concrete deadlines: for processing activities initiated prior to the effective date for these regulations, businesses must complete risk assessments by December 31, 2027, and must submit specified information to the CPPA by April 1, 2028.

Cybersecurity Audit Regulations

The CPPA’s revised cybersecurity audit requirements aim to reduce compliance burdens while enhancing clarity. The revised regulations introduce the concept of a “cybersecurity audit report” and give some prescriptive guidance on what must be included in a cybersecurity audit report. The updated rules introduce a phased implementation schedule based on annual gross revenue that the Board approved in the May 1 meeting. Businesses generating over $100 million annually must conduct their cybersecurity audit by April 1, 2028; businesses with revenue between $50 million and $100 million have until April 1, 2029; and businesses with under $50 million in annual revenue face a deadline of April 1, 2030.

In addition to the tiered timeline, the revised regulations give businesses more time to complete their audit reports after the audit period concludes and clarify the audit’s coverage period. The certification process has also been eased: instead of requiring sign-off by a board member, the report may now be certified by an executive directly responsible for the organization’s cybersecurity program. Furthermore, the requirement to present the report to the board of directors has been removed, streamlining internal reporting obligations.

The CPPA Has Been Busy and Is Poised for Increased Enforcement

In addition to pushing these regulations forward, April marked a significant month for the CPPA, spelling out increased coordinated enforcement on the horizon. First, on April 16, 2025, the CPPA joined forces with attorneys general from seven states—California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon—to form the Consortium of Privacy Regulators. This bipartisan initiative aims to harmonize enforcement of privacy laws, share resources, and coordinate investigations, thereby strengthening consumer privacy protections across state lines.

Then, on April 29, 2025, the CPPA and the UK’s Information Commissioner’s Office signed a declaration of cooperation to enhance privacy protections across jurisdictions. This agreement facilitates joint research, sharing of best practices, and coordinated efforts in addressing emerging data protection challenges. Building upon previous collaborations with South Korea’s PIPC and France’s CNIL, this partnership underscores the CPPA’s commitment to international cooperation in safeguarding consumer privacy.

*           *           *           *           *

All signs point to 2025 being a landmark year for the CPPA. We encourage companies to remain engaged, review proposed changes as they emerge, and continue preparing for eventual compliance obligations—even as the scope and shape of those obligations evolve. Perkins Coie has been involved in rulemaking since the CCPA was passed and will continue to assist clients seeking practical changes to the draft regulations.