California Privacy: A Deeper Dive Into the New Regulations Expected in 2024
In Short
The Background: The California Privacy Protection Agency board ("CPPA" or "Board") is in the process of issuing new regulations as authorized under the California Privacy Rights Act. These three sets of proposed regulations concern cybersecurity audits, risk assessments related to collection of consumer personal information, and use of automated decisionmaking technology ("ADMT").
The Result: The Board has directed staff to prepare the cybersecurity audit regulations for formal rulemaking with authorization to make additional changes. It also directed staff to further revise the risk assessment and ADMT regulations, taking into account public and Board feedback.
Looking Ahead: Although the proposed regulations are not finalized, the Board's discussion and revisions provide insight into how these key privacy issues will be handled in the upcoming regulations. The next drafts of the risk assessment and ADMT regulations are expected in the next few months, but the Board did not commit to a specific date in its January 12 meeting.
In December 2023, the Board voted to proceed with new California Privacy Rights Act regulations for cybersecurity audits, risk assessments, and ADMT. With the Board's recent win at the California Court of Appeal allowing for accelerated enforcement of previous regulations, we expect these proposed new regulations to be finalized and enforced this year. Key aspects of these proposed new regulations are discussed below.
Cybersecurity Audits
As currently drafted, the cybersecurity audit regulations require businesses to complete annual cybersecurity audits if their processing of consumers' personal information presents a "significant risk" to consumers' security. A business's processing presents a "significant risk" if the business: (i) derives 50% or more of its annual revenues from selling or sharing consumers' personal information; OR (ii) has annual gross revenues in excess of $25 million and one of the following applies: the business processes the personal information of 250,000 or more consumers, the sensitive personal information of 50,000 or more consumers, or the personal information of 50,000 or more consumers less than 16 years of age. The exact thresholds are subject to change as the Board seeks further economic and public comment to inform the threshold levels.
The audits, which would be performed by an internal or external independent auditor, would assess the business's cybersecurity program, identify any weaknesses, and document the business's plan to address such weaknesses.
Risk Assessments
The risk assessments also require businesses to complete risk assessments if their processing of consumers' personal information presents a "significant risk" to consumers' privacy. Examples of processing activities that present "significant risk" to consumers' privacy include selling or sharing consumer personal information, processing sensitive personal information, using ADMT to profile or make decisions with "legal or similarly significant effects" about a consumer, and knowing processing of personal information of consumers under the age of 16.
There are several proposed risk assessment requirements, including requiring businesses to develop a summary of processing and categories of personal information to be processed, the context of the processing, consumers' reasonable expectations regarding the purpose of processing and the actual purpose of processing, and the "negative impact" to consumers' privacy because of the processing, among others. The scope of each category of assessments is expected to be further limited.
ADMT
The proposed ADMT regulations define ADMT broadly as "any system, software or process . . . that processes personal information . . . to make or execute a decision or facilitate human decisionmaking." The regulations would apply to businesses that use ADMT to profile consumers or make decisions producing "legal or similarly significant effects" about a consumer, meaning any decision that results in access to or denial of financial services, housing, insurance, education, criminal justice, employment or independent contracting opportunities, healthcare services, or essential goods or services.
Businesses using AMDT would have three obligations: to provide consumers with a pre-use notice, an opportunity to opt-out, and access rights. The pre-use notice obligations would require businesses to provide a detailed explanation of the purpose for which they use ADMT before using it. Opt-out obligations would require businesses to clearly state the consumer's right to opt-out of certain uses of ADMT and provide instructions on at least two methods to do so. Lastly, access rights would require businesses to provide information about their use of ADMT, including their purpose for using ADMT, the logic of the ADMT, and whether the use of ADMT was evaluated for validity, reliability, and fairness. There are exceptions to the opt-out and access rights obligations, including exceptions for cybersecurity and fraud prevention, but they are still being crystallized.
During the December meeting, some Board members expressed concern that the ADMT definition was too broad and would encompass nearly any platform that businesses use in the ordinary course. In response, the Board is expected to further revise the definition to avoid unnecessarily chilling business practices. A narrower definition of ADMT will have significant implications for which businesses are covered.
Two Key Takeaways
- Once implemented, the regulations will impose significant obligations related to key privacy issues on covered businesses. We expect the Board to meet in the coming months to discuss the next draft of the regulations.
- Businesses should begin considering how they may be covered under the new regulations and the parameters of these regulations, because they pertain to key privacy issues.