Tag Archives: OneTrust

Changes in Process to California Privacy Regulations

There are laws, and there are regulations. In California, we are modifying the latter.

Before launching into these regulatory changes, remember that the CCPA is the California Consumer Privacy Act, while the CPPA is the California Privacy Protection Agency. (There’s also a CPRA, the California Privacy Rights Act.)

Imagen 4.

I have attached the May 2025 version of the “Modified Text of Proposed Regulations,” specifically regarding changes to the California Consumer Privacy Act regulations. They affect automated decision-making, conducting risk assessments, and performing cybersecurity audits.

This is still an in-process document. As OneTrust notes:

The regulations will now head to the California Office of Administrative Law for final review before they can be formally enacted. 

In the meantime, we have this thingie, in which

The initial proposal (noticed on November 22, 2024) is illustrated by blue underline for proposed additions and red strikethrough for proposed deletions, unless otherwise indicated, as in Articles 9, 10, and 11. Changes made after the 45-day comment period are illustrated by purple double underline for proposed additions and orange double strikethrough for proposed deletions.

When you get to the purple double underline and orange double strikethrough stage, you know things are getting serious.

CCPA updates from CPPA as of May 2025.Download

From the Summer of Privacy to California SB 690

Harry Chambers of OneTrust gave a far-reaching overview of the worldwide state of privacy legislation this morning. Chambers covered a ton of topics, but I’m going to focus on proposed changes to the California Invasion of Privacy Act, or CIPA.

As Fisher Phillips notes, this is not a new act. And that’s the problem.

“CIPA was originally enacted in 1967 to combat traditional wiretapping and eavesdropping, primarily in the context of telephone communications. It was never designed to address the complexities of the digital age or regulate how businesses track user interactions on the internet.”

But that didn’t stop the lawyers. As Chambers noted, a ton of lawsuits tried to apply 1967 law to modern use cases, including (Fisher Phillips) “routine website technologies such as cookies, pixels, search bar/form, chatbots, and session replay tools.”

Heck, back in 1967 cookies made you high. Whoops, that’s brownies.

Imagen 4.

You can imagine how California technology businesses felt about this. Chatbots as illegal wiretapping? Ouch.

Imagen 4.

Enter California SB 690 to stop what Fisher Phillips called a “shakedown” (settle or you’ll go to court). It proposed to align CIPA with the “commercial business purposes” definition under CCPA as amended.

Imagen 4. For the story behind this picture, see “AI Still Has Bias.”

On June 3, the California Senate unanimously approved SB 690.

But submission to the California Assembly is delayed:

“On July 2, the author of SB 690, State Senator Anna Caballero (D-14), announced she was pausing SB 690, holding it in the Assembly until at least 2026. Caballero cited ‘outstanding concerns around consumer privacy,’ and acknowledged continued opposition from consumer privacy advocates and attorneys’ groups.”

So the lawsuits can continue until morale improves.