On November 22, 2024, the California Privacy Protection Agency (CPPA) opened the public comment period for the proposed California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The proposed regulations have been highly scrutinized over several months as a potential overreach by the CPPA, and the regulations were advanced to rulemaking over the objection of a CPPA board member. Since our July 2024 article, the regulations have been updated to fix grammatical issues, remove the section on consumer price index increases (which was addressed via legislation), and insert a description of the purported benefits of the new regulations. For a more in-depth look at the substance of the proposed regulations, see our earlier analysis.

In Depth

KEY ASPECTS OF THE PROPOSED REGULATIONS

Cybersecurity Audits

Every business whose processing of consumers’ personal information presents “significant risk” to consumers’ security must engage an independent auditor to perform an annual cybersecurity audit and submit that audit to the CPPA. A business’s processing meets the significant risk to security threshold if it:

• Derives 50% or more of its revenue from selling or sharing personal information or
• Reaches the revenue threshold ($25 million) and
  • Processes the personal information of 250,000 consumers or more in the previous calendar year or
  • Processes the sensitive personal information of 50,000 or more consumers in the previous calendar year.

Privacy Risk Assessment

Under the proposed regulations, businesses must conduct and document a privacy risk assessment prior to any processing of consumers’ personal information that “presents significant risk to consumers’ privacy.” The proposed regulations require such assessments for a much broader set of processing activities than other states with consumer privacy laws, including selling or sharing personal information and processing sensitive personal information.

ADMT

If a business uses ADMT to make a significant decision or for profiling or training, it must provide a pre-use notice and honor opt-out and access rights. Significant decisions are decisions that result in access to, or denial of, certain critical social and cultural functions, including financial or lending services, housing, insurance, education enrollment or opportunities, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services. When businesses use ADMT for one of these purposes, it must conduct a privacy risk assessment that captures specific considerations related to ADMT, such as whether the ADMT works as intended for the proposed use and does not discriminate based on protected classes.

WHAT COMES NEXT?

The public comment period will stay open until January 14, 2025, when the CPPA will hold a public hearing on the proposed regulations. After this period ends, the CPPA will consider the comments and may modify the proposed regulations. If the last rulemaking is any indication, we can expect modest but not major changes as a result of public comments, which would then trigger a second, shorter round of public comment.

Once the comment period(s) ends, the proposed regulations must be transmitted to the Office of Administrative Law for final approval before being filed with the Secretary of State. Given the numerous steps that must be taken before the proposed regulations can be finalized, the earliest the regulations could take effect would be April 2025.