In recognition of Cybersecurity Awareness Month in the US, we will be bringing awareness to relevant 2023 cybersecurity updates each week.
On 28 August, the California Privacy Protection Agency (CPPA) published draft regulations regarding risk assessments and cybersecurity audits for consideration at the Board’s September meeting. The draft regulations precede the formal rulemaking process, but provide insight into CPPA’s current priorities.
While the scope of the draft regulations is still indeterminate, we expect applicability to be narrower than the CCPA but with significant obligations for businesses that are subject to the final regulations.
For example, under the draft regulations, risk assessments are triggered by the processing of specific personal information (sensitive or children’s), with either certain technologies (e.g., monitoring in employment or public environments), or for certain uses (selling, sharing it for targeting advertising, using automated decision making technology for significant decisions, or to train artificial intelligence or automated decision-making technology). Risk assessments dictate whether processing will be permitted, with such processing to occur only when the benefits outweigh the risks. The frequency of risk assessments is still undetermined, but there will be annual reporting to the CPPA.
Proposed cybersecurity audits are triggered by certain personal information uses (selling, sharing it for targeting advertising), a business’s gross annual revenue (amount undetermined), or the volume of consumer data processed (amount and type undetermined). A qualified, independent professional would conduct the cybersecurity audits and make a report to the CPPA. The draft regulations contain detailed requirements for conducting cybersecurity audits.
The CPPA intends to release an updated draft and start the formal rulemaking process prior to its next meeting. Afterwards, comments on the formal draft will be accepted for 45 days.