California CPPA Set to Adopt Streamlined ADMT Regulations as Dutch DPA Exposes Cookie Banner Violations

Want to receive these privacy recaps in your inbox each week? Subscribe here.

United States

California CPPA To Discuss / Potentially Adopt New Regulations

The agenda for the July 24, 2025 California Privacy Protection Agency board meeting includes discussion and “possible adoption” of regulations regarding automated decision making technology, risk assessments, cybersecurity audits, insurance and updates to existing regulations (“ADMT Regulations”), as well as proposed amendments to regulations implementing the Delete Request and Opt-Out Platform (DROP) requirements (“DROP Regulations”).

TAKEAWAY

The latest version of the ADMT Regulations, published prior to the CPPA’s May meeting, reflected some significant changes from the previous version that were welcomed by most businesses, including removal of “behavioral advertising” (which would have included first-party advertising) as a trigger for the requirement to conduct risk assessments and comply with ADMT opt-out, pre-use and other obligations. The definitions of “ADMT” and “Significant Decision” were also narrowed, with ADMT now only including technology that replaces or substantially replaces human decision-making, and “Significant Decision” (triggering ADMT obligations when processing activities are related to such decisions) now only including decisions resulting in provision or denial of (rather than access to) certain services and specifically excluding advertisements that could lead to such provision or denial of services. The requirement to have a dedicated pre-use notice (separate from existing CCPA notices) has also been removed, now allowing the notices to be bundled together. Finally, audit and risk assessment requirements have both been simplified from previous versions. The comment period for the latest revisions ended June 2, and no new modifications have been published as of July 20, 2025. If the regulations are adopted before August 31, 2025, they will take effect October 1, 2025. The latest version of the DROP Regulations was published ahead of the June 10 board meeting, the comment period for which closed June 25, 2025. 

Europe

Dutch DPA Publishes Cookie Banner Investigation Letters

The Dutch Data Protection Authority (AP) published five final letters from cookie banner investigations conducted in March 2025. The letters (published only in Dutch as of July 20) reportedly revealed that the redacted organizations under investigation had violated the GDPR by processing personal data without adequate legal basis as a result of improperly designed cookie banners. All five organizations made corrections to fix the violations.

TAKEAWAY

According to the AP’s original April 2025 announcement of the investigations, the AP has been investigating frequently visited websites in various sectors (including the financial sector, the media and the hospitality industry) since 2024 and plans to structurally check the status and transparency of cookie banners in the coming years by constantly and automatically scanning the cookie banners of 10,000 websites. The AP will check whether the websites correctly and transparently request consent to place tracking cookies or other tracking software. Although the published opinions were redacted and did not provide detailed examples of the violations, the AP’s announcement mentioned that, in some cases, the button to refuse cookies was hidden, the consent option was already ticked, or the website had already placed cookies before the visitor had given consent or after the visitor had refused cookies.