Edward Holman

Subscribe to Edward Holman's Posts

On April 4, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss the latest draft California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and an assortment of other updates to existing regulations. These revisions come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. The board meeting turned out to be quite contentious, with board member Alastair Mactaggart emphasizing some of the serious concerns raised in the unusually large volume of public comments—totaling 630 comments and 1,664 pages of feedback—expressing his own concerns that those comments lay out “the very explicit blueprints” for others to challenge the constitutionality of the draft regulations. Ultimately, the Board provided extensive feedback on the draft regulations to CPPA staff, going beyond the issues that staff had prepared for discussion.Continue Reading CPPA Board Grapples with Public Concerns: Key Updates on Upcoming AI, Risk Assessment, and Cybersecurity Regulations

On March 12, 2025, the California Privacy Protection Agency (CPPA) announced a settlement with American Honda Motor Co. (Honda) over alleged violations of the California Consumer Privacy Act (CCPA). The CPPA investigated Honda as part of its investigative sweep into the data privacy practices of connected vehicles and related technologies, announced in July 2023. The CPPA specifically alleged, among other things, that Honda engaged in practices that made it difficult for Californians to exercise their out-opt rights and shared consumers’ personal information with ad tech service providers without proper contractual protections.Continue Reading Lessons from the CPPA’s $632,500 Settlement with Connected Vehicle Manufacturer

On March 7, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss its proposed data broker regulations concerning the Delete Request and Opt-Out Platform (DROP) and voted to authorize CPPA staff to advance the regulations to formal rulemaking. As mandated by the Delete Act (discussed in a previous alert), the DROP will allow California residents to submit a single request to delete all personal information held by all data brokers operating in the state via an accessible mechanism. Data brokers would be required to access the DROP for updates every 45 days and delete the personal information of any state resident that matched the data broker’s records unless a deletion exception set forth in the California Consumer Privacy Act (CCPA) applies. These regulations also follow the CPPA’s November 2024 meeting, during which CPPA staff provided an update on the development of the DROP.Continue Reading CPPA Votes Out Proposed Delete Request and Opt-Out Platform (DROP) Data Broker Regulations

On November 8, 2024, the California Privacy Protection Agency (CPPA) Board met to discuss and vote on various proposed California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, automated decision-making technology (e.g., artificial intelligence (AI)), privacy risk assessments, and a wide assortment of other updates to existing CCPA regulations; data broker registration regulations; and the development of the Delete Request and Opt-Out Platform (DROP) required by the Delete Act. The CPPA Board also voted to approve settlements with two data brokers for allegedly failing to register and pay an annual fee as required by the Delete Act.Continue Reading California’s Privacy Regulatory Odyssey Continues: Formal CCPA Rulemaking on the Horizon Amidst Expanded Data Broker Requirements

Companies that automatically renew customers’ subscriptions or memberships, take note. On October 16, 2024, the Federal Trade Commission (FTC) announced sweeping amendments to the Negative Option Rule, which would apply to a host of subscription-based products and services that have an auto-renewal feature (i.e., a negative option offering), including those directed to businesses. The Rule includes specific and prescriptive requirements, such as requirements to 1) obtain consumers’ affirmative consent to an auto renewal feature “separate from any other portion of the transaction,” 2) present all material terms of the transaction “immediately adjacent to” the means of recording consumer consent, and 3) allow for simple cancellation in the same medium the consumer used to consent, noting that a chatbot cancellation method would not be acceptable unless the initial transaction was made through a chatbot. Violations of the Rule would be subject to $51,744 in civil penalties per violation.Continue Reading Subscription and Auto-Renew Offerings Face New Hurdles: FTC Issues Broad “Click-to-Cancel” Rule Imposing Nationwide Requirements

California’s 2024 legislative session has been marked with exciting developments and a clear focus on setting the rules of the road for artificial intelligence (AI), with some measures becoming law and others stalling out along the way. Last month, Governor Newsom signed 17 bills regulating AI in the Golden State. Notably, Governor Newsom vetoed SB 1047, which would have imposed safety requirements on developers of large models to avoid certain harms. In vetoing the bill, Governor Newsom noted that it was not comprehensive or precise enough, improperly focused on large models even though small ones could present similar risks, and did not take into account whether an Al system is deployed in high-risk environments, involves critical decision-making, or uses sensitive data. Newsom’s veto also represents a big win for the numerous industry members, politicians, and academics who lobbied against the bill, arguing that its passage would stifle innovation in the space. Nevertheless, the AI bills Newsom did sign are expected to have wide-ranging impacts on the AI industry. A summary of those bills is below.Continue Reading Governor Newsom Signs (and Vetoes) Major California AI Legislation

Public Comments Accepted Until November 7

On September 13, 2024, the Colorado Attorney General’s office (the Colorado Department of Law) proposed draft amendments (draft regulations) to its Colorado Privacy Act (CPA) regulations, which took effect

Continue Reading Colorado Department of Law Proposes Amendments to the Colorado Privacy Act Regulations Regarding Biometric and Minors’ Data