Skip to content

A view from California: Privacy Agency enforcement, CCPA rulemaking and CIPA reform

May 7, 2025

There is never a boring moment in California privacy law, and these past weeks have been no exception.

From major modifications to proposed California Consumer Protection Act (CCPA) rulemaking on automated decision-making and cyber audits, to California Invasion of Privacy Act (CIPA) reform initiatives and recent decisions that may be turning the tide towards defendants, and a just-announced California Privacy Protection Agency (agency) decision against a clothing retailer for alleged violations of the CPPA, the last month has seen major activity on all fronts.

1. Agency Enforcement Action against National Clothing Retailer for Consumer Request Practices

Following on the heels of its settlement with a major auto manufacturer for its opt-out and data subject right verification procedures, on May 6, the agency announced a settlement with a national clothing retailer requiring it to pay a monetary fine of $345,178 and to change certain business practices regarding how it processes and honors consumer requests.

The CPPA’s Enforcement Division alleged that the national clothing retailer violated Californians’ privacy rights by:

  • Failing to oversee and configure properly the technical infrastructure of its privacy portal, resulting in a failure to process consumer requests to opt out of the sale or sharing of personal information for 40 days
  • Requiring consumers to submit more information than necessary to process their privacy requests
  • Requiring consumers to verify their identity before they could opt–out of the sale or sharing of their personal information.

a. Using privacy management platforms and testing their configurations

According to the Order of Decision, the retailer used a variety of online tracking technologies like pixels and cookies that automatically send data about consumer’s online behaviors to third-party companies for a variety of purposes, including analytics and cross-contextual behavioral advertising, which constitutes a “sell” or “share” of consumer data under the CCPA. For a period of time in 2023, consumers who clicked the online link to control their cookie settings, including opt-outs were shown a disappearing banner making it impossible for them to opt out of the sale or sharing of their information.

The Order stresses that the retailer “would have known” about these configuration issues on the site “had it been monitoring its website, but [the retailer] instead deferred to third-party privacy management tools without knowing their limitations or validating their operations.” This provision mirrors the Agency’s prior settlement with a major auto manufacturer, wherein it emphasized that contracting out privacy rights to a third-party consent management tool, without monitoring and oversight of that tool, is not a defense to liability.

b. Opt-out requests are not verifiable consumer requests

Similarly, the Order also takes issue with the retailers’ collection of additional data points from a consumer in order to honor its opt-out rights. According to the agency, the CCPA distinguishes between CCPA requests that require a business to verify an identity (access, deletion) and those requests that do not require or allow for verification (opt-out of sale/share). As opt-outs of sale/share are not verifiable consumer requests, the agency found that the retailers’ request for additional information from the consumer to honor an opt-out request was in violation of law.

2. Agency Proposes More Revisions to Draft Privacy Regulations

CCPA rulemaking remains in flux. In preparation for its May 1 meeting, the Agency published revisions to its draft regulations.

At its May 1 meeting, the agency board provided key updates on draft CCPA regulations related to AI and cybersecurity. Major changes to the regulations include:

  • A phased implementation of cybersecurity audit requirements over three years
  • Completely removing the term “artificial intelligence” from the draft regulations in order to allow state legislature the ability to craft its own comprehensive AI law
  • Narrowing the definition of Automated Decision-Making Technology (ADMT) to cover decisions that “substantially replace human decision-making”
  • Removal of the definition of behavioral advertising from the definition of extensive profiling under ADMT
  • Clarification that a pre-use notice can be combined with a notice at collection
  • Introduction of new exceptions to ADMT opt-out rights
  • Harmonizing ADMT risk assessment requirements to make them more similar to the Colorado AI Act. The regulations include a hypothetical example of how a business complying with Colorado law can ensure it meets California’s proposed requirements.

Some board members expressed concern about the extent of recent changes to draft rules. Agency staff submitted an economic analysis finding that the modifications would reduce potential business costs in the first year by up to 66%.

Nonetheless, the board approved a motion directing staff to take all necessary steps to prepare and notice modified draft regulations for public comment. These modifications will reflect the staff’s proposed changes, as well as additional updates based on the board’s discussion.

The public comment period is set to close on June 2,  after which the board will reconvene sometime in August or September, if not before.

The agency board has previously stated a goal of submitting a final rulemaking package to the Office of Administrative Law by November 2025.

3. Legislative Update and Agency Position on Pending Bills

The board also reviewed legislative updates and considered staff recommendations on bills that impact the agency either by amending the CCPA, modifying the Delete Act, or assigning new responsibilities to the CPPA. Staff voted in favor of the following bills:

  • AB 1355- Location Privacy
    • This bill introduces strict regulations on the collection, use, and sale of location data. It imposes data minimization and purpose limitation requirements, mandates consumer disclosures about location data practices, and restricts the sale or sharing of such data. Enforcement authority is granted to the Attorney General, district attorneys, and the CPPA, and it includes a private right of action.
    • Staff Recommendation: Support
  • SB 44- Neural Data and Brain-Computer Interfaces
    • SB 44 amends the CCPA to govern the collection and use of neural data by brain-computer interface technology. Businesses must use neural data solely for its original purpose and delete it once that purpose is fulfilled.
    • Staff Recommendation: Support
  • SB 361- Data Broker Transparency
    • This bill amends the Delete Act to require data brokers to disclose whether they collect additional information when they register with the agency, including:
      • Consumer’s account login credentials
      • Government ID numbers
      • Immigration status and citizenship data
      • Union membership
      • Sexual orientation
      • Gender identity and expression; and
      • Biometric data
    • Staff Recommendation: Support
  • SB 468- High-Risk AI Systems Duty to Protect Personal Information
    • SB 468 establishes comprehensive information security requirements for AI systems processing personal information. It mandates that deployers of high-risk AI systems that process personal information to develop, implement, and maintain a comprehensive information security program that contains specific administrative, technical, and physical safeguards. The bill is enforceable under the Unfair Competition Law, and the CPPA is authorized to adopt regulations to implement the bill’s provisions.
    • Staff Recommendation: Support if amended to grant the CPPA enforcement authority

4. CIPA Reform (SB 690)

Following a deluge of CIPA class actions, mass arbitrations, and individual filings against businesses in and out of California, efforts to reform CIPA have made meaningful progress.

SB690 proposes to CIPA to  exclude from the wiretapping rules any uses, devices, and processes for “commercial business purposes.” The amendment defines “commercial business purposes” as the processing of personal information either “performed to further a business purpose” as defined by the CCPA or “subject to a consumer’s opt-out rights” provided by the CCPA.1 The bill would retroactively apply to any pending CIPA cases, potentially undermining claims pending when the amendment goes into effect.

On April 29, 2025, a hearing was held before the Senate Committee on Public Safety, and the bill was voted out of Committee and is now before the full Senate.  The sponsor of the amendment, Senator Anna Caballero, characterized CIPA suits as an attempt by plaintiffs to subvert the carefully negotiated CCPA opt-out regime, while others referred to the CIPA suits are a “shakedown” and potentially ruinous to small and medium-sized businesses forced to either settle or pay litigation costs. The amendment would provide businesses with much-needed guidance on how to comply with the law and would ensure that business activities already regulated by the CCPA are not within the purview of CIPA.

5. Recent CIPA decisions suggest some relief for defendants

a. Article III standing

Two recent CIPA putative class actions filed in the Southern District of California were dismissed for lack of standing.  The decisions are Zhizhi Xu v. Reuters News & Media Inc., No. 1:2024cv02466, (Feb. 13, 2025, S.D.N.Y.); Gabrielli v. Insider, Inc., No. 1:2024cv01566, (Feb. 18, 2025, S.D.N.Y.).

The courts in both cases held that the plaintiffs failed to allege a concrete injury in fact as required to satisfy Article III standing. First, neither plaintiff alleged that they were harmed by targeted advertisements or the like and instead alleged that a procedural violation of CIPA was sufficient to confer standing. The courts disagreed, finding that a statutory violation alone is insufficient to confer Article III standing.

Additionally, the courts rejected the characterization of IP addresses as private or personal information, stating that sharing an IP address without more does not amount to an invasion of privacy, a deprivation of the right to control personal information, or public disclosure of private facts for standing purposes. IP addresses are voluntarily shared when a user accesses a website and people are not entitled to a legitimate expectation of privacy in them. While it is clear that a statutory violation alone does not confer standing, the reasoning turned largely on the fact that the IP addresses were the only information at issue. Thus, the dissemination or disclosure of additional information may lead to a different outcome on standing.

b. “In Transit” requirement

The Northern District of California granted summary judgment to a CIPA defendant in Torres v. Prudential Financial Inc. No. 1: 2022-cv-07465 (April 17, 2025, N.D. Cal.). In Torres, the plaintiff alleged that Prudential and its third-party vendor, ActiveProspect, violated the CIPA by collecting and replaying users’ interactions with Prudential’s website without their consent. Prudential’s site allowed users to request life insurance quotes, and ActiveProspect provided related software services that included session replay technology. Plaintiffs argued this amounted to unauthorized interception of communications.

The defendants moved for summary judgment, arguing that CIPA only applies when a party willfully and without consent reads or attempts to read the content of a communication while in transit. The court agreed, holding that because ActiveProspect did not read or try to read the contents of the communication while in transit, CIPA liability did not apply—even if data was collected during the session. According to the court, “the question is whether ActiveProspect did independently attempt to decipher the contents of any communication. And plaintiffs fail to provide any evidence indicating that ActiveProspect did so.”

According to the court, “Because Plaintiffs have not shown that ActiveProspect attempted to understand or decipher the contents of Plaintiffs’ communications on its webform while the communications were in transit, there is no genuine dispute as to whether ActiveProspect read or attempted to read those communications under section 631. Further, because there is no predicate violation of section 631 on the part of ActiveProspect, there is no genuine dispute as to whether Prudential and Assurance aided and abetted ActiveProspect in violation of section 631.”

Torress gives hope that technical and factual defenses to CIPA allegations regarding the merits of the claim may prove successful on summary judgment, even where those same claims are allowed to proceed past initial motions to dismiss.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.

Related Practice Areas

Subscribe For The Latest

Subscribe

Related

Legal Updates

David Hansma secures nearly $3 million in arbitration award

Explore more
Legal Updates

The Learned Concierge - May 2025, Vol. 19

Monthly legal insights on the trends impacting the retail, hospitality, and the food & beverage industries.

Explore more
Legal Updates

How Bankruptcy Courts Interpret Intercreditor Agreements: The Uncertainty of Judicial Perspective

Explore more

The Clark Hill approach is equally pragmatic and growth-minded, which is why we understand our clients’ toughest business challenges. Our multidisciplinary, global team of advisors focuses on smart legal solutions, delivered simply.

© 2025 Clark Hill PLC.