The California Privacy Protection Agency (“CPPA”) held a public board meeting on December 8, 2023. As discussed in our previous article, the CPPA is in the process of preparing Draft Regulations on Cybersecurity Audits, Risk Assessments and Automated Decision-Making Technology. The Rules Subcommittee provided updates on these regulations, and Board members provided their feedback on the drafts.
Key Takeaways Regarding CCPA Cybersecurity Audit Regulations
- The Cybersecurity Audit Regulations would require businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to perform a cybersecurity audit on an annual basis.”
- The CPPA’s economist advisors estimated 30,000 businesses would be required to conduct audits based on the proposed scope in the draft regulations, but the Board, skeptical and expecting a higher number, asked CPPA staff to consider further feedback on the businesses that the Draft Regulations on Audits would impact.
- The regulations are subject to the existing CCPA thresholds for (1) a business’ revenue and (2) the amount of personal information that a business processes. Several members of the Board stressed that the audit requirement should apply only to companies that are actually processing personal information.
- The Board was satisfied with the current state of the Cybersecurity Audit Regulations and moved to finalize the draft. At the next meeting in January 2024, the Board will vote on whether to advance this draft to formal rulemaking, after which the regulations will enter the 45-day comment period for public feedback.
Key Takeaways Regarding CCPA Risk Assessment Regulations
- The draft Risk Assessment Regulations would require businesses to conduct risk assessments if their “processing of consumers’ personal information presents significant risk to consumers’ privacy.”
- The current draft regulations require businesses to submit their risk assessments annually. The Board debated whether the regulations should include an annual or biannual requirement for the risk assessments, but no decision was reached, and the Board instructed staff to weigh the factors for an annual versus biannual requirement in their next draft.
- The Board did not move to advance the Risk Assessment Regulations to formal rulemaking. Further revisions to the regulations are anticipated.
Key Takeaways Regarding CCPA Automated Decision-Making (“ADMT”) Regulations
- The draft ADMT Regulations would require businesses to “provide information to the consumer about how it intends to use the ADMT so that the consumer can decide whether to opt-out or proceed, and whether to exercise their access right.”
- The Board discussed the definition of ADMT, which several members believed was too broad as it could cover all technology, including business-to-business services.
- The Board focused on the regulations’ requirement that entities covered by ADMT regulations provide consumers with the opportunity to opt-out of “intrusive profiling.” Board members emphasized that, as currently written, this opt out requirement could allow consumers to opt out of any technology, which Board members argued does not promote privacy.
- The Board instructed staff to “wordsmith” the definition of ADMT and the language surrounding this opt-out requirement.
- The Board did not move to advance the ADMT Regulations to formal rulemaking. Further revisions to the regulations are anticipated.
