Employers must prepare for significant amendments to the California Consumer Privacy Act (CCPA) of 2018, as amended by the CPRA (CCPA) in 2025. The CCPA grants California residents, including employees, specific rights relating to collecting and using their personal information. These changes include amendments to key definitions, application of data privacy rules to artificial intelligence (AI), and heightened regulatory oversight and enforcement. Outlined below are the top five developments that California employers should anticipate for2025:
- AB 1008: CCPA now expressly covers generative AI systems. The definition of “personal information” (PI) expands to PI located in various formats, including AI systems. If an AI system is capable of exposing PI—such as names, addresses, or biometric data—businesses will be subject to restrictions on how they may use or profit from that data. The Legislature’s goal is to ensure that AI systems adhere to the same privacy protections that govern other forms of data storage, processing, and use.
- SB 1223: The CCPA’s definition of “sensitive personal information” is expanded to include a consumer’s neural data—information generated by measuring the activity of a consumer’s central or peripheral nervous system.
- AB 1824: In 2025, a business that receives the consumer’s PI as part of a merger, acquisition, bankruptcy or other transaction must expressly comply with a consumer’s opt-out preferences.
- Increased Enforcement Activity: The Privacy Police have stepped up the enforcement of the CCPA in recent years. After issuing its first enforcement action under the CCPA in 2022, several new enforcement actions against a variety of businesses for their use and disclosure of PI have been publicized. In 2024, the Privacy Police issued a $6.75 million fine against a cloud software company relating to a 2020 ransomware attack that resulted in California consumers’ PI theft. They also announced a stipulated judgment with a mobile app developer relating to collecting and sharing children’s data without parental consent. These actions show an increased focus on privacy and a willingness to go after companies who fail to take proper safeguards to protect PI.
- New CPPA Regulations: The California Privacy Protection Agency (CPPA) published a set of draft regulations for public comment. Though too voluminous to discuss at length, the regulations primarily seek to update existing regulations, implement requirements for businesses to conduct cybersecurity audits, risk assessments, and implement consumers’ rights to opt out of automated decision-making technology (ADMT). These regulations could go into effect on April 1, 2025, following public comment period and potential changes.
CDF’s Privacy Practice Group will continue to monitor developments related to privacy issues and the CCPA, the CPRA, and the California Privacy Protection Agency’s enforcement actions.
