California Finalizes Long-Awaited CCPA Regulations
After more than a year of deliberation and debate, the California Privacy Protection Agency (the “CPPA”) has approved the final draft of California Consumer Privacy Act (“CCPA”) regulations around cybersecurity audits, risk assessments, and automated decision-making technology. Substantively, the regulations are unchanged from the draft discussed in our June Privacy Update, which is significantly narrower than the sweeping proposal the CPPA issued back in April.
Now, the regulations will be submitted to California’s Office of Administrative Law (“OAL”) for approval before formally becoming law. The new regulations are likely to take effect on October 1, 2025, with a small chance of that date being pushed back to January 1, 2026, depending on how quickly the OAL acts. Despite this relatively short timeline, businesses won’t have to rush to get their automated decision-making technology into compliance since those provisions will not be enforced until January 1, 2027. We will update our California and US privacy tools to reflect the new regulations as we get closer to their effective date, and we will notify you of the changes in a future monthly update.
EDPB Announces Support of GDPR Recordkeeping Amendment and Commits to Supporting GDPR Simplification
On July 9, the European Data Protection Board (the “EDPB” or the “Board”) issued an opinion expressing its support for the European Commission’s recent proposal to amend provisions of the GDPR related to an exemption smaller businesses have from the landmark law’s record-keeping requirements. In its statement, the EDPB said the changes would simplify GDPR compliance, and it called on the European Parliament, which is likely to take up the proposal sometime in the next several months, to clarify certain definitions that establish which organisations will be able to take advantage of the exception.
The opinion aligns with a statement released by the EDPB on July 2, expressing its commitment to collaborating with stakeholders to clarify, simplify, and enhance compliance with the GDPR. This means the record-keeping amendment is likely not the last proposal we will see to amend the GDPR this year. SixFifty will be monitoring this issue as it develops, so keep an eye on this space for further updates.
European Commission Declines to Delay AI Act Implementation
On July 4, the European Commission announced that it would not delay the implementation of Europe’s Artificial Intelligence Act, despite calls from business leaders and some government officials to do so. This means important provisions of the law that regulate how businesses create and deploy general-purpose AI systems will take effect on August 2, 2025. Shortly after making this announcement, the Commission threw businesses that will be subject to these provisions a lifeline by releasing both the General-Purpose AI Code of Practice and the long-awaited official guidelines explaining the obligations the AI Act places on providers of general-purpose AI.
The guidelines serve a similar role to administrative regulations in the United States (i.e., they are official statements of how the Commission interprets and intends to enforce the AI Act), while the Code of Practice is more of an informal set of policies and procedures that providers of general purpose AI can (but don’t have to) implement to bring their AI programs into compliance with the law. Looking ahead, we have a year before the next phase of the AI Act’s rollout begins, when the law’s provisions related to high-risk AI systems will take effect on August 2, 2026.
US States Ramp Up Privacy Enforcement
Enforcement of state-level privacy laws reached new heights this month, as government officials around the country announced a wave of lawsuits and fines against businesses over improper data collection:
In California, Attorney General Rob Bonta announced a $1.55 million settlement with website publisher Healthline Media LLC over allegations that the company engaged in targeted advertising and shared consumer data with third parties without giving consumers the opportunity to opt out, in violation of the California Consumer Privacy Act (the “CCPA”). This is the largest settlement the state has secured to date for CCPA violations.
In Utah, Governor Spencer Cox and Attorney General Derek Brown announced a lawsuit against popular social media service Snapchat based on allegations that the company made misleading statements in its privacy notice, improperly collected data from minors, and collected sensitive geolocation information from users after they had opted out. This case represents the first major action Utah has taken to enforce its comprehensive privacy law, the Utah Consumer Privacy Act.
In Connecticut, Attorney General William Tong announced an $85,000 settlement with TicketNetwork, Inc. over allegations that the company’s privacy notice was incomplete, contained misleading information, and directed consumers to submit rights requests through methods that were confusing and inoperable. In addition to the monetary fine, the settlement also requires TicketNetwork to bring its privacy program into compliance with the Connecticut Data Protection Act and submit regular metrics to the Connecticut state government regarding the number of consumer rights requests it receives and fulfills.
In Nebraska, Attorney General Mike Hilgers announced a lawsuit against General Motors over allegations that the automaker published a misleading privacy notice and that it collected and sold sensitive information about Nebraska residents without notice or consent. Similar to Utah, this suit is the first major action Nebraska has taken to enforce its privacy law.
Finally, Kentucky Attorney General Russell Coleman announced a lawsuit against Chinese shopping platform Temu over allegations that the company illegally collected data from Kentucky residents and sent it to third parties without the residents’ knowledge or consent. The Attorney General’s complaint seeks both monetary damages and injunctive relief under the Kentucky Consumer Protection Act.
Taken together, these actions show a clear trend towards more vigorous enforcement of state privacy laws that is likely to continue as states funnel more resources to privacy enforcers and become more comfortable taking action against businesses whose privacy programs are deemed insufficient. Businesses should take this opportunity to review their own privacy programs to ensure they are compliant with all applicable laws before they find themselves at the wrong end of an enforcement action of their own.
White House Releases AI “Action Plan”
After Congress ultimately did not include the proposed federal moratorium on state AI regulation in this year’s budget, the White House unveiled a new approach to regulating the controversial technology on July 23, when it announced an executive order, “Preventing Woke AI in the Federal Government,” and an accompanying AI Action Plan. The executive order targets the perceived intersection between AI and DEI-related ideologies by directing federal agencies to only use AI models that are “truth-seeking” and “ideological[ly] neutral[ly].” The Action Plan is more in-depth, as it lays out dozens of actions the Trump Administration would like a wide variety of government bodies to take to “accelerate AI innovation,” “build American AI infrastructure,” and help the US “lead in international AI diplomacy and security.”
A few of the actions the Plan contemplates include (1) directing the Office of Management and Budget to “consider a state’s AI regulatory climate when making funding decisions,” (2) calling on the Federal Trade Commission to review all investigations commenced under the Biden administration as well as all currently effective FTC orders and set aside any that “unduly burden AI innovation,” and (3) asking the Office of Science and Technology Policy to launch a Request for Information from the public about federal AI regulations that “hinder AI innovation and adoption.” It’s not yet clear how many of the Action Plan’s initiatives will actually translate to changes in the law, but it’s likely that we will see some deregulation of the industry at both the state and federal level in the coming months, including, potentially, by weakening the provisions of state privacy laws related to “automated decisionmaking technology” and “profiling.” As always, SixFifty will be monitoring this issue, so keep an eye on future monthly updates for more information.