California continues to outpace other states in developing and implementing privacy and cybersecurity regulations. The latest evidence comes from the recent release of proposed regulations by the California Privacy Protection Agency (CPPA), and a lengthy hearing that followed the December 8, 2023. The CPPA provided a highly anticipated first draft of regulations relating to artificial intelligence (AI) as well as recent revisions to its proposed regulations relating to cybersecurity auditing and risk assessment.
Here are some key points to remember:
AI/ADT Regulations
The California Consumer Privacy Act (CCPA) seeks to regulate AI, defined as automated decision-making technology (ADT). The regulations define ADT as any system, software or process, including that derived from machine learning, statistics or other data processing or AI, that processes personal information and uses computing as a whole or part of ‘a system for creating or executing a decision or facilitating human decision making.
ADT includes “profiling”, which is defined as any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning professional performance, economic situation, health, the personal aspects of the natural person. preferences, interests, reliability, behavior, location or movements.
The CPPA Board of Directors has expressed concerns about the broad scope of the definitions of ADT and profiling and would like to see attempts to limit both.
The proposed regulations suggest that thresholds for notice, opt-out and access requirements would be determined by the following uses of DAT:
- Decision which produces legal or similarly important effects concerning a consumer;
- Profiling a consumer who is acting in their capacity as an employee, independent contractor, job seeker or student;
- Profiling a consumer while they are in a place accessible to the public;
- Consumer profiling for behavioral advertising (with opt-in for consumers under 16);
- Profiling a consumer that the company actually knows is under the age of 16; And
- Processing of consumers’ personal information to form ADT.
Certain exceptions to the opt-out and access rights such as security, fraud prevention, safety or no reasonable alternative method of processing have been proposed. As for the last one on the list, the CAPP Board of Directors has expressed a desire to limit this exception, as currently proposed, in the future.
The draft framework also currently allows employees to opt out, but some board members do not agree with this.
Cybersecurity Audit Regulations
The subcommittee is still determining the combination of thresholds for cybersecurity audits, but is proposing an annual revenue threshold of $25 million as well as the amount of personal information processed. The regulations currently set the threshold (for covered companies to be required to conduct cybersecurity audits) at:
- Process the personal information of at least 250,000 consumers during the preceding calendar year;
- Process the sensitive personal information of at least 50,000 consumers during the preceding calendar year; Or
- Processing the personal information of 50,000 or more consumers who the company knew were under the age of 16 during the preceding calendar year.
The scope of the cybersecurity audit is broad, likely to be costly, and not limited to a simple “check the box” exercise for covered businesses. Businesses may be required to assess negative impacts associated with unauthorized access and disclosure of personal information, such as economic, physical, psychological and reputational harm to consumers. This will likely be one of the priorities of the subcommittee’s next draft regulations.
Risk assessments
Covered businesses will also be required to conduct risk assessments whenever their processing of a consumer’s personal information presents a “significant risk to the consumer’s privacy.” The proposed regulations list (1) the sale or sharing of personal information and (2) the processing of sensitive personal information (except employee/HR data) as activities presenting significant risks. They also characterize the following activities using ADT, or to form ADT, as significant risks to consumer privacy:
- Decisions which produce legal or similarly important effects concerning a consumer;
- Profiling a consumer acting as an employee, independent contractor, job seeker or student;
- Profiling for behavioral advertising;
- Establish individual identity based on biometric information;
- Face, speech or emotion detection;
- Generate deep fakes;
- Profiling of consumers when they are in a place accessible to the public; Or
- How generative models work.
The proposed regulations currently require companies to submit their first risk assessment 24 months after the regulation’s effective date. The CPPA Board of Directors has expressed a desire to reduce the time frame for companies to begin completing and updating their initial risk assessments. After the first submission, a company will make similar submissions each year.
The proposed regulations also allow the CPPA Board of Directors to request risk assessments, which must be submitted within five business days. Some board members expressed concern that the submission deadline was too short. The CAPP Board of Directors also requested that the subcommittee add the Attorney General as another party that can request risk assessments. Additionally, the CPPA Board wanted the Subcommittee to consider requiring companies to send notice to the CPPA when they change their techniques, compliance process, and/or strategy.
The CPPA Board of Directors finally discussed the possibility of adding a section for companies already compliant with the General Data Protection Regulation (GDPR), which would define additional requirements necessary to comply with future California regulations in matters of risk assessment.
Conclusion
The CAPP Board of Directors approved the proposed Cybersecurity Audit Regulation to proceed with formal rulemaking, where the subcommittee will streamline and clean up the language before returning to the Board for review one final time before being available for public comment. Regarding the risk assessment and TDA regulations, CAPP asked the subcommittee to continue working on a new draft to submit to the Board of Directors. Board members speculated that cybersecurity auditing regulations could be ready for a final rule set by the second or third quarter of 2024.