Skip to main content

California Privacy Protection Agency Advances Rulemaking on AI and Cybersecurity Audits

California Privacy Protection Agency Advances Rulemaking on AI and Cybersecurity Audits
Tuesday, November 12, 2024

On November 8, 2024, the California Privacy Protection Agency (CPPA) voted to proceed with formal rulemaking regarding artificial intelligence (AI) and cybersecurity audits. This comes on the heels of the California Civil Rights Department moving forward with its own regulations about AI.

The current version of the proposed regulations covers several areas:

  1. Automated Decision-Making Technology (ADMT):

The current draft regulations propose establishing consumers’ rights to access and opt out of businesses’ use of ADMT.

They also require businesses to disclose their use of ADMT and provide meaningful information about the logic involved, as well as the significance and potential consequences of such processing for the consumer.

  1. Cybersecurity Audits:

The draft regulations propose mandating certain businesses to conduct annual cybersecurity audits to ensure compliance with the California Consumer Privacy Act (CCPA) and other relevant regulations. And specify the criteria and standards for these audits, including the scope, methodology, and reporting requirements.

  1. Risk Assessments:

The draft regulations require businesses to perform regular risk assessments to identify and mitigate potential privacy risks associated with their data processing activities.

Under the regulations, businesses would need to document their risk assessment processes and findings, and make these available to the CPPA upon request.

  1. Insurance Regulations:

 Clarifies when insurance companies must comply with the CCPA, ensuring that consumer data handled by these entities is adequately protected.

The proposed regulations will enter a 45-day public comment period, during which stakeholders can submit written and oral comments. The CPPA will hold public hearings to gather additional feedback and discuss potential revisions to the proposed rules.

After the public comment period, the CPPA will review all feedback and make necessary adjustments to the regulations. This stage may involve multiple rounds of revisions and additional public consultations.

Once the CPPA finalizes the regulations, they will be submitted to the Office of Administrative Law (OAL) for review and approval. If approved, the regulations are expected to become effective by mid-2025.

Jackson Lewis P.C. © 2024