The California Privacy Protection Agency (“CPPA”) issued and discussed draft regulations on Cybersecurity Audits and Risk Assessments late in the summer. The CPPA Board plans to discuss the draft regulations at its upcoming December 8th public meeting, along with a presentation on the regulations. 

While the regulations are certainly subject to change moving forward, including in response to public comment, privacy, risk and security practitioners should consider how certain draft provisions may impact business operations as the CPPA moves closer to a final text.

Cybersecurity Audits

  • Threshold for requirement to perform cybersecurity audits. Every business whose processing of consumers’ personal information presents “significant risk” to consumers’ security would be required to perform an audit. What constitutes a “significant risk”? The Board is considering several factors for determining if a business’ processing constitutes a “significant risk,” including if the business: (1) derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information; (2) processed personal information of more than a threshold number of consumers, e.g., one million consumers; (3) processed sensitive personal information of more than a threshold number of consumers, e.g., one hundred thousand consumers; (4) knowingly processed information for consumers under 16 years of age; (5) met a threshold gross revenue value; or (6) had more than a threshold number of employees. It remains to be seen which, if any, of these criteria the Board adopts in determining which businesses are subject to an audit.
  • Scope of cybersecurity audit. The scope of auditing required will consider a number of factors, including business size, complexity, nature of information processing, state of the art and cost of implementation. In addition, the Board is considering regulations aimed at evaluating how the business’ cybersecurity program considers and protects against the following negative impacts to consumers’ security, including unauthorized access, impairment to consumers’ control over the information, and the economic, physical, psychological and reputational harm to the consumer associated with any unauthorized access or disclosure, or if there are any risks from cybersecurity threats or incidents that have or could materially affect consumers.
  • Timing. Under the current draft, businesses meeting the threshold requirements will have some runway before the deadline for completing their first cybersecurity audits: 24 months from the effective date of the regulations, to complete the first audit, with annual audits required thereafter.
  • Reporting. Businesses subject to the audit requirement will need to submit an annual notice of compliance to the CPPA certifying that the business either complied with the requirements or did not fully comply and when remediation will be completed.

Risk Assessments

  • Definition of “Artificial Intelligence.” The term in the draft regulations is defined broadly and includes any engineered or machine-based system that is designed to operate with varying levels of autonomy and that can generate outputs.
  • Definition of “Automated Decision-making Technology.” The term is not defined by statute and thus the CPPA will need to finalize a definition through the rulemaking process. “Automated Decision-making Technology”, like “Artificial Intelligence,” is defined broadly to include any system that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making. Like the definition of “artificial intelligence,” many systems, software and processes utilized by businesses are likely to fall under the definition. Notably, the initial draft definition is arguably broader than the GDPR which limits its scope to decision making by automated means with no human involvement.
  • When businesses must conduct a Risk Assessment. Any business whose processing of consumer personal information presents “significant risk” to consumer privacy must conduct a risk assessment before initiating that processing. One of the criteria the Board is considering as constituting a significant risk is whether the company sells or shares personal information, meaning the Risk Assessment requirement may affect a broad scope of companies. As for what constitutes a “significant risk” in the context of a Risk Assessment, the Board is also considering a number of criteria, including whether the business is:
    • Selling or sharing personal information
    • Processing sensitive personal information, unless it does so solely for its employees for employment authorization, payroll, benefits manage or wage reporting.
    • Using automated decisionmaking to decide whether to provide certain services, such as financial, lending, housing, employment, healthcare or education, among others.
    • Knowingly processing personal information of consumers under age 16.
    • Processing employee or student information to monitor those individuals, e.g., keystroke loggers, location trackers or other monitors.
    • Processing consumer personal information in publicly accessible places to monitor behaviors or location.
    • Processing personal information of consumers to train automated decisionmaking technology.
  • Timing and reporting. The Board is considering whether to require risk assessments on an annually, biannually or once every three years. The risk assessment must be updated if a business materially changes its processing activity. Risk assessments must be made available to the CCPA or AG upon request, with certifications submitted annually.
  • Businesses utilizing Automated Decision-making Technology. If a business is using automated decision-making technology, additional information must be provided in the risk assessment, including why the business is using such technology and for what purposes, the benefits of using the technology over manual processing, what personal information is processed using the technology, an explanation of the outputs and how that output will be used, as well as the logic and assumptions used by the technology. Given the breadth of the definition of “Automated Decision-making Technology” described above, these additional requirements for businesses subject to the Risk Assessment requirement may prove burdensome.

Moving forward, the CCPA will open the formal rulemaking process which, by rule, triggers a public comment period. It remains to be seen whether the CPPA Board initiates the formal rulemaking process following the December 8th meeting. While the draft regulations are subject to, and likely to, change throughout that process, it is worthwhile staying abreast of the regulatory direction the CCPA is considering as the process continues given the effective date of the regulations will open the compliance window for performing an initial cybersecurity audit and/or risk assessment.