Buffalo Business First
Read the ArticleBusinesses located in and outside of California may be subject to additional obligations pursuant to the California Consumer Privacy Act (CCPA), as amended this year. The amendments include steeper fines for violations of the CCPA and its accompanying regulations. The CCPA amendments also modify existing rights, while additional proposed regulatory changes impose new obligations regarding cybersecurity audit record retention, risk assessment deadlines, and procedures for utilizing automated decision-making technology (ADMT), among other things. This article highlights some amendments of interest that took effect on Jan. 1, 2025, as well as regulatory proposals that may take effect as early as Oct. 31, 2025.
Covered businesses that meet certain threshold revenue and activity requirements, share common branding with a business subject to the CCPA, or have certain business relationships with other companies subject to the CCPA, should pay attention to these amendments, with more on the horizon.
Fines for certain violations increased as follows:
The amendments also modify existing rights of and add obligations imposed on businesses. Those obligations include:
The California Privacy Protection Agency (CPPA), a state agency established to implement and enforce the CCPA, also proposed regulatory changes that would create new obligations on businesses which may take effect later this year:
The proposed regulatory amendments are subject to change based on comments submitted to the CPPA after the time of writing.
Businesses need to determine whether they are subject to the CCPA directly or through entities with which they have business relationships. To assist in this analysis and in developing a compliance program, businesses should consider their data collection, processing and transfer activities, evaluate sufficiency of risk assessment and audit procedures, and review opt-out mechanisms. To assist in this process, experts who are well-versed in these issues and your industry may be particularly helpful
Anna Mercado Clark, Partner and Chief Information Security Officer at Phillips Lytle, is the Co-Leader of the firm’s Technology Industry Team. She can be reached at aclark@phillipslytle.com or 212-508-0466.
Maria Althea Teves, attorney at Phillips Lytle, focuses her practice on cybersecurity and commercial litigation. She can be reached at mteves@phillipslytle.com or 716-847-5415.
Receive firm communications, legal news and industry alerts delivered to your inbox.
Subscribe Now