On August 29, 2023, the California Privacy Protection Agency (“CPPA”) published draft regulations on risk assessments and cybersecurity audits required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). The CPPA will discuss the draft regulations at the upcoming public meeting on September 8, 2023. The draft regulations make clear that the CPPA has not yet begun formal rulemaking, and that the draft regulations are “intended to facilitate Board discussion” and are subject to change. Still, the draft regulations provide helpful insight into the obligations that regulated entities may be expected to comply with. Note that the CPPA did not release similar draft regulations for automated decision-making.
According to the draft regulations, before initiating certain processing, businesses would be required to conduct risk assessments if their “processing of consumers’ personal information presents significant risk to consumers’ privacy.”
Key Takeaways from the Draft Risk Assessment Regulations
- Enumerates seven instances in which a risk assessment would be required;
- Added definitions for “Artificial Intelligence” and “Automated Decision-Making Technology”;
- Minimum content requirements for risk assessments;
- Additional requirements for businesses that process personal information to train or use Artificial Intelligence or Automated Decision-making Technology, such as the requirement to include in the risk assessment a plain language explanation of why the business is using or seeking to use Automated Decision-making Technology;
- Requirement for expanded stakeholder involvement in preparing, contributing to and reviewing risk assessments; and
- Requirements to submit annual risk assessments to the CPPA.
The draft regulations require businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to perform a cybersecurity audit on an annual basis.”
Key Takeaways from the Draft Cybersecurity Audit Regulations
- Enumerates categories of businesses required to complete cybersecurity audits, however, the specific categories are one of the areas for board discussion on September 8th;
- Detailed requirements for conducting cybersecurity audits, such as using an external third-party auditor and implementing and maintaining extensive information security requirements; and
- Businesses that are required to complete an audit would need to submit to the CPPA a written certification that the business has complied with the requirements during the preceding twelve months covered by the audit or a written acknowledgement that the business was unable to or did not comply with the requirements.
While these regulations are still in draft form, businesses should use this time to evaluate whether or not they may be required to submit risk assessments and cybersecurity audits pursuant to the CPPA. Efforts may include conducting data mapping and data classification exercises, understanding the use of artificial intelligence and automating decision-making technology within the organization, identifying categories of sensitive personal information, and working with IT and other business teams to ensure appropriate infrastructure to complete such assessments and audits.