California Privacy Regulator Published Draft Risk Assessment and Cybersecurity Audit Regulations Under CCPA
14 September 2023
The California Privacy Protection Agency (“CPPA“) has recently published its draft regulations for Risk Assessments and Cybersecurity Audits (“Draft Regulations“), complementing the California Consumer Privacy Act and regulations promogulated thereunder (“CCPA“).
The CPPA is yet to start its formal rulemaking process, and the Draft Regulations are meant to facilitate the CPPA discussion and public participation. Therefore, the Draft Regulations may provide businesses a glimpse into the scope of requirements the regulator is expecting them to be subject to.
Risk Assessment Regulations
Under the CCPA, businesses are required submit to the CPPA, on a regular basis, risk assessments with respect to certain processing of personal information activities. The Draft Regulations elaborate on this requirement, determining that any business processing personal information in a manner that presents a significant risk to consumers’ privacy shall conduct an appropriate risk assessment before initiating processing. Such processing activities include, but are not limited to: (i) selling or sharing (for cross-contextual advertising purposes) personal information; (ii) processing of sensitive personal information; (iii) processing personal information of minors under the age of 16; (iv) employee monitoring; (v) monitoring of consumers in public places (vi) use of automated decision making technologies; and (vii) training of artificial intelligence or automated decision making technologies.
The Draft Regulations also define the information and considerations that need to be, at a minimum, included in the risk assessment. Among other things, risk assessments should address the proposed processing activities and their purposes; the technologies used; the consumers’ expectations; the benefits to the business, consumers and other third parties; the possible negative impacts associated with processing and the safeguards in place to address such impacts. Lastly, businesses are required to assess whether the benefits outweigh the potential negative impacts as mitigated by the safeguards. A business shall only conduct processing activities the benefits of which outweigh the negative impacts.
There are additional specific requirements for risk assessments concerning use of automated decision making technologies and training of artificial intelligence. For example, risk assessments for the use automated decision making technologies shall include information about the reasons for the use of automated technology; the logic of such technology; the metrics used to measure the technology’s validity, reliability, and fairness; and details about human involvement.
Businesses shall be required to periodically review their risk assessments (specific timeframes are yet to be determined), submit to the CPPA the assessment in an abridged form and a certification by an executive of the business that the business has complied with its obligations under the regulations. Businesses shall also be required to provide the full assessment to the CPPA upon request.
Cybersecurity Audit Regulations
According to the Draft Regulations, every business whose personal information processing activities pose significant risk to consumers shall complete a cybersecurity audit. Examples of specific processing activities that pose significant risk to consumers are yet to be defined, but shall include processing, sale or share of personal information on a large scale and processing of personal information relating to minors under the age of 16 or the processing of sensitive personal data.
Cybersecurity audits shall be conducted by a qualified independent professional, following generally accepted auditing standard. The auditor can be either internal or external to the business, however the business shall ensure that such auditor is impartial without any conflict of interests. Auditor shall be granted access to all relevant information about the business’s cybersecurity program and information systems.
The audit shall articulate its scope, criteria, and evidence on which it is based, and include a general assessment of the business’s cybersecurity program to determine its suitability in relation to the business size and complexity, as well as the nature and scope of its processing activities. The audit shall identify the gaps and weaknesses and address the status of such gaps identified in prior audits.
Each business shall submit to the CPPA a certification that it complied with the requirements of the regulations in the last 12 months or an acknowledgment that it did not fully comply with the requirement, in which case it shall also specify the sections that were not in compliance and a remediation timeline. The audit reports must be submitted to the CPPA within a specified timeframe (exact timeframe to be determined) and are valid for twelve months. The CPPA has provided businesses with a grace period of 24 months from the effective date of the regulations to complete the first risk assessments.
The Draft Regulations will have a dramatic affect on businesses processing personal information and are subject to the CCPA. Businesses currently performing or planning to engage in processing activities that may fall under the purview of these Draft Regulations should review their data privacy procedures and ensure they are prepared to address the applicable requirements.
Feel free to contact us if you have any questions about the effect of the new regulations on your organization’s data processing operation and the practical steps that should be taken accordingly.
To learn more about the various privacy legislations in the US, see our comparative guide on data subject rights in the various US states new enacted data protection laws.