On Friday, November 8, 2024, the California Privacy Protection Agency board voted 4-1 to commence the formal rulemaking process for the draft regulations on Automated Decisionmaking Technology (ADMT), Risk Assessments, Cybersecurity Audits, and Insurance Companies.

The formal rulemaking process will begin with a 45-day public comment period. During this time, CPPA staff will gather and analyze public comments, which will inform potential amendments and revisions to the regulations. The period will likely be extended to account for the holiday season.

While the formal rulemaking process is now underway, the draft regulations are subject to change. The formal rulemaking process begins with a 45-day public comment period. After the public comment period, the CPPA will analyze comments and consider whether to further amend or revise the regulations. Substantial changes to the proposed regulations will trigger a second 15-day public comment period. Once finalized, the CPPA will assemble and submit the final rulemaking package to the Office of Administrative Law, which then has 30 working days to approve and publish the rules. We will continue to monitor the rulemaking process and provide updates on when the regulations will be effective. For an overview of the rulemaking process, reference the IAPP’s flow chart here.

Before the vote, the board members briefly debated the current draft regulations, which may provide a clue to forthcoming amendments. Key areas of discussion included:

  • Opt-out provisions respecting Automated Decisionmaking Technologies and “behavioral advertising.”
  • Defining “significant decisions” where Automated Decisionmaking Technologies will be subject to restrictions.
  • Distinguishing routine, low-risk data uses from high-risk scenarios for purposes of risk assessments.

Key Takeaways Regarding CCPA Cybersecurity Audit Regulations

  • All of the new regulations are still subject to the existing CCPA thresholds for (1) a business’ revenue and (2) the amount of personal information that a business processes.
  • The Cybersecurity Audit Regulations would require businesses whose processing of consumers’ personal information presents “significant risk” to consumers’ privacy or security to perform a cybersecurity audit on an annual basis.
  • Auditors must be independent and impartial, whether internal or external, and must report findings to the board of directors or the highest-ranking executive.

Key Takeaways Regarding CCPA Risk Assessment Regulations

  • The Risk Assessment Regulations would require businesses to conduct risk assessments if their “processing of consumers’ personal information presents significant risk to consumers’ privacy.”
    • Significant risks include:
      • the selling or sharing of personal information;
      • use of ADMT for “significant decisions” or “extensive profiling,” including “behavioral advertising”;
      • AI training; and
      • processing “sensitive personal information” as defined under CCPA, such as SSNs, biometrics, and all personal information for consumers under 16 (there is an exception for using sensitive personal information to administer employee benefits and compensation).
  • If an Assessment determined that a processing activity presents risks to consumers that outweigh the benefits to consumers, the business, the public, and other stakeholders, the business would be prohibited from carrying out that processing activity.
  • The Assessment requirement applies to processing activities that are ongoing at the time of the effective date of the regulations, not just new activities.
  • Businesses must submit their risk assessments to the CPPA on an annual basis (with the first submission due 24 months following the effective date of the regulations), review their submitted assessments at least once every three years and update as necessary, and update submitted assessments whenever there is a material change to the processing activities in question.
  • Assessments must be drafted with input from internal stakeholders involved with the processing activity.

Key Takeaways Regarding CCPA Automated Decision-Making (“ADMT”) Regulations

  • The ADMT Regulations would require businesses to “provide information to the consumer about how it intends to use the ADMT so that the consumer can decide whether to opt-out or proceed, and whether to exercise their access right.”
  • Businesses must ensure ADMT used for decisions or profiling does not discriminate against protected classes, with internal evaluations and reviews.
  • Businesses must notify users when ADMT outputs are used in “significant decisions” affecting them and detail the logic, key parameters, and human involvement in these processes.
    • Significant decisions include:
      • hiring, firing, promotion, and demotion of employees
      • eligibility for educational enrollment, and
      • access to or denial of essential services such as groceries.
  • Board members continue to have concerns around the proposed opt out requirement, which could be broadly interpreted to allow consumers to opt out of anyautomated process.

Key Takeaways for Insurance Companies

The draft regulations also clarify the extent to which CPPA applies to insurance companies by providing that personal information that is subject to the California Insurance Code is not subject to the CCPA. However, personal information that is not collected for purposes related to an insurance transaction covered under the Insurance Code would be subject to CCPA.

Author

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Helena practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.

Author

Garrett is an associate in Baker McKenzie's North America Intellectual Property Group and is based in our San Francisco office. His practice focuses on helping clients build effective information governance programs, comply with privacy laws and regulations, and respond to cybersecurity incidents.

Author

Gaurav is a law clerk in Baker McKenzie's IP & Technology group.