On November 8, 2024, the California Privacy Protection Agency (CPPA) voted to develop formal rules regarding artificial intelligence (AI) and cybersecurity audits. This follows California Department of Civil Rights moves forward with its own AI regulations.
The current version of proposed regulation covers several areas:
- Automated Decision Making Technology (ADMT):
The current draft regulation proposes to establish the right of consumers to access ADMT and to refuse its use by businesses.
They also require businesses to disclose their use of ADMT and provide meaningful information about the logic involved, as well as the significance and potential consequences of such processing for the consumer.
- Cybersecurity audits:
The proposed regulations propose to require certain businesses to conduct annual cybersecurity audits to ensure compliance with the California Consumer Privacy Act (CCPA) and other relevant regulations. And specify the criteria and standards for these audits, including the scope, methodology and reporting requirements.
- Risk assessments:
The draft regulations require companies to regularly conduct risk assessments to identify and mitigate potential privacy risks associated with their data processing activities.
Under the regulations, companies would be required to document their risk assessment processes and conclusions and make them available to the CPPA upon request.
- Insurance regulations:
Clarifies when insurance companies must comply with the CCPA, ensuring that consumer data processed by these entities is properly protected.
The proposed rule will enter a 45-day public comment period, during which stakeholders can submit written and oral comments. CAPP will hold public hearings to gather additional comments and discuss potential revisions to the proposed rules.
After the public comment period, CAPP will review all comments and make any necessary adjustments to the regulations. This step may involve several rounds of additional reviews and public consultations.
Once the CPPA finalizes the regulations, they will be submitted to the Office of Administrative Law (OAL) for review and approval. If approved, the regulation is expected to come into force by mid-2025.