The California Privacy Protection Agency (“CPPA”) published a revised set of Draft Cybersecurity Audit Regulations ahead of the CPPA Board’s December 8, 2023 meeting. When the CPPA Board met on December 8, several key elements of the Draft Cybersecurity Audit Regulations, as outlined below, were discussed at length. The meeting also gave us valuable insight into how the CPPA Board perceives these requirements to apply to business – and what the audits may cost businesses.
Applicability Thresholds
The applicability thresholds in the draft cybersecurity audit regulations remains a hot button issue, and indeed were a key discussion point during both the September and December CPPA Board meetings. As a refresher, the draft regulations would require “every business whose processing of consumers’ personal information presents significant risk to consumers’ security…complete a cybersecurity audit.”
Processing that “presents significant risk to consumers’ security” has been a moving target. What has not changed is that the cybersecurity audit requirements would apply to any business that is a data broker under the CCPA (derives 50 percent or more of its annual revenue from selling or sharing consumers’ personal information) – and is indeed consistent in the latest draft regulations.
For businesses that are not data brokers, the thresholds have been in flux. Previous draft regulations included an applicability threshold based on annual gross revenue or number of employees. The new draft regulations scrap that model in favor of a new framework.
The applicability thresholds for other businesses that are not data brokers (and that meet the California Consumer Privacy Act’s statutory definition of “business” (have annual gross revenues of $25M)) are based on the amount of personal information, sensitive information, or children’s personal information that the business processes annually. For each category, the previous draft regulations set forth three numerical options (personal information of 250,000/500,000/1,000,000 or more consumers or households; sensitive personal information of 50,000/100,000/200,000 or more consumers; or personal information of 50,000/100,000/200,000 or more consumers under the age of 16. In the latest draft regulations, the CPPA, unsurprisingly, selected the lowest threshold for each category. While there was some discussion by the CPPA Board about tying thresholds to a business’ number of employees or gross revenue amount, sentiment by several CPPA Board members focused on instead using the amount of personal information processed as a threshold that is better aligned to the protection of consumers.
The CPPA Board also spent time at the December 9 meeting addressing the need for an economic assessment to address the economic impact to California businesses that would result from the applicability threshold amounts. By selecting the lowest end of each numerical processing threshold, certainly more business would be caught in the net. It was clear that this is a concern to several CPPA Board members, and equally as clear that the Board does not have a good sense of how many businesses would be impacted, nor of the resulting economic costs to those businesses. The CPPA Board compared the costs of the audit to a SOC-type of audit, with some Board members noting their expectation that costs could range from $10,000 for small businesses, to $100,000 for larger businesses. The CPPA Board will commission an economic assessment to better understand the economic impact to businesses, and will take the results of that assessment into consideration as it considers further revisions to the applicability thresholds in the next draft regulations.
Scope of Audits
The new draft cybersecurity audit regulations would require businesses that meet the applicability thresholds to assess and document “how the business’ cybersecurity program protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in the loss of availability of personal information.” Additionally, such business may assess and document how the business cybersecurity program “protects consumers from the negative impacts associated with unauthorized access, destruction, use, modification, or disclosure of personal information; and unauthorized activity resulting in the loss of availability of personal information.” Those negative impacts to consumers include “impairing consumers’ control over their personal information, as well as economic, physical, psychological, and reputational harm to consumers.”
Board member Alastair Mactaggart expressed significant concern about businesses making assessments about “economic, physical, psychological, and reputational harm to consumers.” Mactaggart cited the September 18, 2023 decision of the U.S. District Court for the Northern District of California granting NetChoice’s request for preliminary injunction in NetChoice v. Bonta blocking enforcement of California’s Age-Appropriate Design Code (AADC) on grounds that the law likely violates the First Amendment. In Mactaggart’s view, the court specifically cited concerns with businesses making similar assessments of consumer harm.
In response to Mactaggart’s concerns, the CPPA Board will charge its staff with further investigation of the proposed assessments, including how the AADC decision may impact the business’ ability to make those assessments. It is important to keep in mind that in the current form of the draft cybersecurity audit regulations, these assessments are optional – so whether the CPPA Board ultimately includes or removes them – it is unlikely that businesses will be required to make them.
What is Next
The CPPA Board has not yet started formal rulemaking, so the draft regulations are only intended to facilitate CPPA Board discussion and public participation, and remain subject to change. Following the meeting, the CCPA Board staff will further revise the proposed regulations. While no dates are set in stone, the CPPA Board predicted that updated draft regulations may be presented to the CPPA Board in January of 2024, which the CPPA Board expects to vote on to proceed to formal rulemaking. The next meeting of the CPPA board is expected to occur in January or February 2024.
Key Takeaways for businesses:
- There does not seem to be much appetite to change the applicability thresholds for data brokers, so if you are a data broker, you will likely need to conduct a cybersecurity audit once the draft regulations become final.
- For non-data brokers, the cybersecurity audit requirements will likely depend on the amount of personal information you process, and not on the size or number of employees of your business.
- The cybersecurity audits will not be a simple box-checking exercise and appear to be something that the CPPA expects businesses to take very seriously. They will also cost real money – potentially ranging from $10K for small businesses, to $100K for large businesses. Certainly there will be no requirements for businesses to budget or spend any specific dollar amount, however, this is an indication of the effort and time that the CPPA expects businesses to expend.
- While cybersecurity audits will likely require businesses to evaluate how the business’ cybersecurity program protects personal information from security incidents, additional assessment of how the cybersecurity program protects consumers from the negative impacts including economic, physical, psychological, and reputational harm to consumers, will likely remain optional.