On Friday, November 8, 2024, the California Privacy Protection Agency board voted 4-1 to commence the formal rulemaking process for the draft regulations on Automated Decisionmaking Technology (ADMT), Risk Assessments, Cybersecurity Audits, and Insurance Companies.
The formal rulemaking process will begin with a 45-day public comment period. During this time, CPPA staff will gather and analyze public comments, which will inform potential amendments and revisions to the regulations. The period will likely be extended to account for the holiday season.
While the formal rulemaking process is now underway, the draft regulations are subject to change. The formal rulemaking process begins with a 45-day public comment period. After the public comment period, the CPPA will analyze comments and consider whether to further amend or revise the regulations. Substantial changes to the proposed regulations will trigger a second 15-day public comment period. Once finalized, the CPPA will assemble and submit the final rulemaking package to the Office of Administrative Law, which then has 30 working days to approve and publish the rules. We will continue to monitor the rulemaking process and provide updates on when the regulations will be effective. For an overview of the rulemaking process, reference the IAPPâs flow chart here.
Before the vote, the board members briefly debated the current draft regulations, which may provide a clue to forthcoming amendments. Key areas of discussion included:
- Opt-out provisions respecting Automated Decisionmaking Technologies and âbehavioral advertising.â
- Defining âsignificant decisionsâ where Automated Decisionmaking Technologies will be subject to restrictions.
- Distinguishing routine, low-risk data uses from high-risk scenarios for purposes of risk assessments.
Key Takeaways Regarding CCPA Cybersecurity Audit Regulations
- All of the new regulations are still subject to the existing CCPA thresholds for (1) a businessâ revenue and (2) the amount of personal information that a business processes.
- The Cybersecurity Audit Regulations would require businesses whose processing of consumersâ personal information presents “significant risk” to consumersâ privacy or security to perform a cybersecurity audit on an annual basis.
- Auditors must be independent and impartial, whether internal or external, and must report findings to the board of directors or the highest-ranking executive.
Key Takeaways Regarding CCPA Risk Assessment Regulations
- The Risk Assessment Regulations would require businesses to conduct risk assessments if their âprocessing of consumersâ personal information presents significant risk to consumersâ privacy.â
- Significant risks include:
- the selling or sharing of personal information;
- use of ADMT for âsignificant decisionsâ or âextensive profiling,” including “behavioral advertising”;
- AI training; and
- processing “sensitive personal information” as defined under CCPA, such as SSNs, biometrics, and all personal information for consumers under 16 (there is an exception for using sensitive personal information to administer employee benefits and compensation).
- Significant risks include:
- If an Assessment determined that a processing activity presents risks to consumers that outweigh the benefits to consumers, the business, the public, and other stakeholders, the business would be prohibited from carrying out that processing activity.
- The Assessment requirement applies to processing activities that are ongoing at the time of the effective date of the regulations, not just new activities.
- Businesses must submit their risk assessments to the CPPA on an annual basis (with the first submission due 24 months following the effective date of the regulations), review their submitted assessments at least once every three years and update as necessary, and update submitted assessments whenever there is a material change to the processing activities in question.
- Assessments must be drafted with input from internal stakeholders involved with the processing activity.
Key Takeaways Regarding CCPA Automated Decision-Making (âADMTâ) Regulations
- The ADMT Regulations would require businesses to âprovide information to the consumer about how it intends to use the ADMT so that the consumer can decide whether to opt-out or proceed, and whether to exercise their access right.â
- Businesses must ensure ADMT used for decisions or profiling does not discriminate against protected classes, with internal evaluations and reviews.
- Businesses must notify users when ADMT outputs are used in “significant decisions” affecting them and detail the logic, key parameters, and human involvement in these processes.
- Significant decisions include:
- hiring, firing, promotion, and demotion of employees
- eligibility for educational enrollment, and
- access to or denial of essential services such as groceries.
- Significant decisions include:
- Board members continue to have concerns around the proposed opt out requirement, which could be broadly interpreted to allow consumers to opt out of anyautomated process.
Key Takeaways for Insurance Companies
The draft regulations also clarify the extent to which CPPA applies to insurance companies by providing that personal information that is subject to the California Insurance Code is not subject to the CCPA. However, personal information that is not collected for purposes related to an insurance transaction covered under the Insurance Code would be subject to CCPA.