In Brief
Background: The California Privacy Protection Agency board ("CPPA" or "Board") is actively developing new regulations as mandated by the California Privacy Rights Act. These regulations focus on cybersecurity audits, risk assessments concerning the collection of consumer personal information, and the use of Automated Decision-Making Technology ("ADMT").
Current Progress: The Board has instructed its staff to prepare the cybersecurity audit regulations for formal rulemaking, with the authority to incorporate additional changes as needed. Additionally, staff has been tasked with refining the risk assessment and ADMT regulations, considering feedback from both the public and the Board.
Future Outlook: While the proposed regulations are still in the drafting stage, the Board's discussions and adjustments offer a glimpse into how these critical privacy matters will be addressed in the forthcoming rules. The next iterations of the risk assessment and ADMT regulations are anticipated within the coming months, although the Board has not specified a precise date following its January 12 meeting.
In December 2023, the Board decided to move forward with the development of updated regulations under the California Privacy Rights Act. These regulations focus on cybersecurity audits, risk assessments, and Automated Decision-Making Technology (ADMT). Following the Board's recent success in the California Court of Appeal, which allows for the accelerated enforcement of existing regulations, we anticipate the finalization and implementation of these new regulations this year. Here, we delve into the key components of these proposed updates.
Cybersecurity Audits
According to the current draft, the proposed cybersecurity audit regulations mandate that businesses conduct annual cybersecurity audits if their handling of consumers' personal information poses a "significant risk" to consumers' security. A business's operations are deemed to pose a "significant risk" if the business: (i) generates 50% or more of its yearly revenue from the sale or sharing of consumers' personal information; OR (ii) has annual gross revenues exceeding $25 million and meets one of the following criteria: the business processes the personal information of 250,000 or more consumers, the sensitive personal information of 50,000 or more consumers, or the personal information of 50,000 or more consumers under the age of 16. These specific thresholds may undergo adjustments as the Board seeks additional economic and public input to refine them.
The audits, to be conducted by an internal or external independent auditor, will evaluate the business's cybersecurity program, identify any vulnerabilities, and document the business's strategy for addressing these vulnerabilities.
Risk Assessments
Under the proposed regulations, businesses are also obligated to conduct risk assessments if their handling of consumers' personal information poses a "significant risk" to consumers' privacy. Activities that fall under this "significant risk" category include the sale or sharing of consumer personal information, the processing of sensitive personal information, the use of Automated Decision-Making Technology (ADMT) to create profiles or make decisions with "legal or similarly significant effects" concerning a consumer, and the deliberate processing of personal information of consumers under the age of 16.
Several requirements are outlined for these risk assessments. Businesses must create a summary detailing the processing activities and categories of personal information to be processed. They must also consider the context of the processing, align consumers' reasonable expectations regarding the purpose of processing with the actual purpose, and evaluate the "adverse impact" on consumers' privacy due to the processing, among other factors. It is anticipated that the scope of each assessment category will be further refined and clarified.
Automated Decision-Making Technology (ADMT)
The proposed regulations define Automated Decision-Making Technology (ADMT) in broad terms as "any system, software, or process . . . that processes personal information . . . to make or execute a decision or facilitate human decision-making." These rules would apply to businesses employing ADMT to create consumer profiles or make decisions with "legal or similarly significant effects" on a consumer. This includes decisions affecting access to or denial of financial services, housing, insurance, education, criminal justice, employment or contracting opportunities, healthcare services, or essential goods and services.
Businesses utilizing ADMT would be subject to three main obligations: providing consumers with a pre-use notice, an opportunity to opt-out, and access rights. The pre-use notice requirement entails businesses explaining in detail the purpose of their ADMT use before implementing it. Opt-out obligations necessitate businesses clearly informing consumers of their right to opt-out of specific ADMT uses and offering instructions on at least two methods to do so. Lastly, access rights require businesses to disclose information about their ADMT use, including its purpose, logic, and whether it underwent evaluation for validity, reliability, and fairness.
While there are exceptions to the opt-out and access rights requirements, such as those for cybersecurity and fraud prevention, they are still in the process of being clarified.
During the December meeting, some Board members voiced concerns that the current ADMT definition is overly broad and could encompass nearly any platform businesses use in their normal operations. In response, the Board is expected to refine the definition to prevent unnecessarily restricting business practices. A narrower definition of ADMT will have significant implications for the businesses covered by these regulations.
Two Important Points to Remember
(1) These regulations will impose substantial responsibilities concerning crucial privacy matters on affected businesses. The Board should convene in the upcoming months to deliberate on the subsequent draft of these regulations.
(2) Businesses ought to start contemplating their potential inclusion under these new regulations and the specific guidelines that will apply, as these regulations concern pivotal privacy concerns.
Comments