First Look at California Privacy Protection Agency’s Proposed Regulations on Risk Assessments
This blog was originally posted on September 13th, 2023. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.
AUTHORED BY: Cynthia Cole, Intellectual Property Partner, Justine Phillips, Partner, Brittney Justice, Data Privacy and Security Associate Attorney, Manisha Reddy, Data Privacy and Security Associate at Baker McKenzie
On August 29, 2023, the California Privacy Protection Agency (“CPPA”) published draft regulations on risk assessments and cybersecurity audits required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). The CPPA discussed the draft regulations at the public meeting on September 8, 2023.
The draft regulations make clear that the CPPA has not yet begun formal rulemaking, and that the draft regulations are “intended to facilitate Board discussion” and are subject to change. Still, the draft regulations provide helpful insight into the obligations that regulated entities may be expected to comply with.
Note that the CPPA did not release similar draft regulations for automated decision-making.
Risk Assessments
According to the draft regulations, before initiating certain processing, businesses would be required to conduct risk assessments if their “processing of consumers’ personal information presents significant risk to consumers’ privacy.”
Key Takeaways from the Draft Risk Assessment Regulations
- Enumerates seven instances in which a risk assessment would be required;
- Added definitions for “Artificial Intelligence” and “Automated Decision-Making Technology”;
- Minimum content requirements for risk assessments;
- Additional requirements for businesses that process personal information to train or use Artificial Intelligence or Automated Decision-making Technology, such as the requirement to include in the risk assessment a plain language explanation of why the business is using or seeking to use Automated Decision-making Technology;
- Requirement for expanded stakeholder involvement in preparing, contributing to and reviewing risk assessments; and
- Requirements to submit annual risk assessments to the CPPA.
Cybersecurity Audits
The draft regulations require businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to perform a cybersecurity audit on an annual basis.”
Key Takeaways from the Draft Cybersecurity Audit Regulations
- Enumerates categories of businesses required to complete cybersecurity audits, however, the specific categories are one of the areas for board discussion on September 8th;
- Detailed requirements for conducting cybersecurity audits, such as using an external third-party auditor and implementing and maintaining extensive information security requirements; and
- Businesses that are required to complete an audit would need to submit to the CPPA a written certification that the business has complied with the requirements during the preceding twelve months covered by the audit or a written acknowledgement that the business was unable to or did not comply with the requirements.
Takeaways
While these regulations are still in draft form, businesses should use this time to evaluate whether or not they may be required to submit risk assessments and cybersecurity audits pursuant to the CPPA.
Efforts may include conducting data mapping and data classification exercises, understanding the use of artificial intelligence and automating decision-making technology within the organization, identifying categories of sensitive personal information, and working with IT and other business teams to ensure appropriate infrastructure to complete such assessments and audits.
Never Miss A Regulatory Update
Join 50,000 compliance professionals for monthly updates on hot compliance issues, free regulatory webinars and whitepapers and market insights on the latest trends