CPPA Drafts Propose Onerous Requirements

California Reveals Draft Regulations Requiring Onerous Cybersecurity Audits and Privacy Risk Assessments

Overview


On August 28, 2023, the California Privacy Protection Agency (CPPA) released discussion drafts of regulations on cybersecurity audits and privacy risk assessments in advance of the CPPA’s meeting on September 8, 2023.

These drafts propose extensive, onerous requirements that would exceed other state privacy laws, including the following:

  • Implementing dozens of detailed cybersecurity requirements
  • Conducting a robust audit against those requirements and other risks directly supervised by a company’s board (or senior executive)
  • Submitting an annual certification of completion to the CPPA (signed by a board member or senior executive)
  • Submitting annual privacy risk assessments to the CPPA covering a broader range of “high risk processing” activities and more detailed content requirements than other states

Companies subject to the California Consumer Privacy Act (CCPA) should pay heed to these proposed regulations, as many of them likely will require months—if not more—of operational lead time to implement.

In Depth


CYBERSECURITY AUDIT REGULATIONS

Scope. Every business whose processing of consumers’ personal information presents “significant risk” to consumers’ security must perform an annual cybersecurity audit. The draft regulations propose several potential “significant risk” triggers based on gross revenues, the volume of personal information processed, total number of employees or the percentage of revenue derived from selling or sharing personal information.

Prescriptive List of Audit Topics. The draft regulations contain a long list of items to be included in the cybersecurity audit, such as

  • How the business’s cybersecurity program considers and protects against specified negative impacts to consumers’ security
  • Risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect consumers
  • Written documentation of the business’s cybersecurity program, safeguards used to protect personal information, the effectiveness of these cybersecurity program components, identification of gaps or weaknesses, and the business’s plans to address any gaps and weaknesses
  • If the business was required to provide a data breach notification in any jurisdiction, even in another country, a description of the notification, as well as the date and details of the activity that gave rise to the notification and any related remediation measures taken by the business

In total, the draft regulations include nearly six pages of cybersecurity program elements that companies must either implement or document how alternative safeguards achieve the same level of security. The safeguards include: data segregation, data and systems mapping, multi-factor authentication, internal and external vulnerability scans and penetration testing, vendor oversight, incident response planning documentation and preparation, zero trust architecture, record retention schedules and secure development of coding. In short, the draft regulations could become the most prescriptive set of cybersecurity requirements implemented by any state.

Performed by an Independent Auditor. The individual conducting the cybersecurity audit must be a qualified, objective, independent professional. If an internal resource is used, the auditor (1) cannot have any role developing or maintaining the cybersecurity program or perform activities subject to the audit and (2) must report directly to the board or, if there is no board, the highest-ranking officer in the business who does not have direct responsibility for the business’s cybersecurity program.

Board Signature Required. A business required to complete a cybersecurity audit must annually submit to the CPPA either (1) a written certification that the business complied with the cybersecurity audit regulations during the 12 months that the audit covers or (2) a written acknowledgment that the business did not fully comply. The submissions must be signed by a member of the board or governing body, or if none exists, the business’s highest-ranking executive with authority to bind the business.

PRIVACY RISK ASSESSMENT

Scope. Businesses must conduct and document a privacy risk assessment prior to any processing of consumers’ personal information that “presents significant risk to consumers’ privacy.” The draft regulations require such assessments for a much broader set of processing activities than other states with consumer privacy laws, including

  • Selling or sharing personal information
  • Processing sensitive personal information, except for the sensitive personal information of employees or independent contractors for the purposes of employment authorization, payroll, health plan and benefits management, or wage reporting
  • Using Automated Decision-making Technology in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services or opportunities
  • Processing the personal information of consumers who the business knows are under 16
  • Processing the personal information of consumers who are employees, independent contractors, job applicants or students using monitoring technology
  • Processing the personal information of consumers in publicly accessible places using technology to monitor their behavior, location, movements or actions
  • Processing the personal information of consumers to train artificial intelligence or Automated Decision-making Technology

Content of Risk Assessments. In a Colorado-like fashion, the draft regulations include a long list of processing explanations, as well as risks and benefits, to be included in the privacy risk assessment, which go beyond the requirements of other state privacy risk assessments. In addition to a summary of the processing, under the draft regulations, assessments would have to include an operational plan (e.g., how the business will collect, minimize and secure data) and an assessment of 10 potential harms to data subjects, ranging from psychological to constitutional.

Automated Decision-Making Technology and Artificial Intelligence. In addition to the basic assessment requirements, the draft regulations include additional requirements for (1) businesses using Automated Decision-making Technology for certain purposes and (2) businesses that process personal information to train artificial intelligence or Automated Decision-making Technology. At first blush, many companies could not be faulted for thinking that these requirements would not apply. However, the proposed definitions of “artificial intelligence” and “Automated Decision-making” are so broad that they would sweep in almost any use of a computer—or even an Excel formula.

  • “Artificial intelligence” is defined as an engineered or machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations or decisions that influence physical or virtual environments. Artificial intelligence includes generative models, such as large language models, that can learn from inputs and create new outputs, such as text, images, audio or video, as well as facial or speech recognition or detection technology.
  • “Automated Decision-making Technology” is broadly defined as any system, software or process—including one derived from machine learning, statistics other data-processing techniques, or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making. Notably, this expansive definition conceivably could encompass any use of a computer to “facilitate” decision-making.

We anticipate that these definitions will be the subject of much public comment if the CPPA formally proposes these rules.

Submission of Risk Assessment. Businesses must annually submit to the CPPA (1) the business’s privacy risk assessments in an abridged form and (2) a certification by a designated executive that the business has complied with the requirements of the risk assessment regulations. Businesses must also make privacy risk assessments available to the CPPA or the California Attorney General upon request. Unlike other state consumer privacy laws, however, the draft regulations do not preserve the privilege or work product protections that might otherwise attach to a company’s risk assessments.

WHAT’S NEXT?

The draft regulations will be discussed by the CPPA board at the September 8 meeting. We anticipate that additional changes will be made by the CPPA before the proposed regulations are submitted in a formal rulemaking process. While companies may still have a chance to influence some of the more onerous provisions of these regulations, if the last rulemaking process was any guide, the changes may be minimal. Therefore, companies should take the time to benchmark their operations against the draft regulations to identify any significant gaps and create a work plan for how to address those gaps.

If you have questions or need assistance with CCPA compliance or other state privacy laws, please contact any of the authors or your regular McDermott lawyer.

Check out our additional coverage on new state consumer privacy laws: 

State Regulators Step Up Enforcement of New Privacy Laws

Ruling Delays Enforcement of Latest CCPA Regulations

Oregon Joins the Consumer Privacy Trend

Texas Consumer Privacy Law Nears Governor’s Signature

Florida Adds a New Twist to Consumer Privacy Patchwork

Tennessee Joins the Fray as Legislature Passes Consumer Privacy Law

Consumer Privacy Law Comes to Big Sky Country as Montana Passes New Law

Indiana Passes Consumer Privacy Bill

Iowa’s New Privacy Law: The Basics

Colorado Finalizes Sweeping New Privacy Rules; Iowa Joins the Fray

Preparing for New Consumer Privacy laws in Colorado, Connecticut and Utah