Keeping Pace with Changes to the CPPA’s Draft Regulations on Cybersecurity Audits, Risk Assessments, and Automated Decision-Making Technology

The California Privacy Protection Agency (CPPA) has been steadily designing its vision for the future of privacy regulation, which is taking the form of detailed regulations, and businesses should take note and consider commenting on the proposed rulemaking when the option becomes available.

The CPPA will hold an open board meeting on December 8th to discuss various draft privacy regulations, including the revised draft cybersecurity audit regulations, revised draft risk assessment regulations, and newly proposed draft automated decision-making technology (ADMT) regulations. The revised drafts follow the CPPA’s initial draft cybersecurity audit regulations and risk assessment regulations, which were discussed by the CPPA board of directors in September 2023. Currently, the draft regulations are intended to facilitate discussion among the CPPA board members and public participation, but the CPPA is laying the groundwork for future rulemaking.

The draft regulations are slated to become part of the CPPA’s second substantive rulemaking package to implement the California Privacy Rights Act of 2020 (CPRA). Once finalized, the regulations will require covered businesses to perform annual cybersecurity audits, submit risk assessments to the CPPA regarding their processing of personal information, and follow specific notice, opt-out, and access rules regarding their use of ADMT.

While formal rulemaking has not yet begun, the new regulations provide insight into the significant privacy and security requirements the CPPA may impose. Businesses should consider whether these regulations may apply to them and consider commenting on the proposed regulations when the formal rulemaking comment period begins.

Below, we provide a summary of where each of the draft regulations stand currently:

Cybersecurity Audit Regulations

• Applicability Threshold (§ 7120). Businesses required to conduct security audits include businesses whose processing of consumers’ personal information presents “significant risk to consumers’ security.”
• A significant risk is found if the business: (1) derives at least 50% of their revenue from selling or sharing (for cross-context behavioral advertising purposes) consumers’ personal information, or (2) meets certain as-yet-undefined thresholds based on the volume and sensitivity of personal information processed by the business.
• The CPPA will consider whether to include businesses that have a gross revenue of over $50 or $100 million annually that process: (1) the personal information of 250k, 500k, or 100k consumers, or (2) the sensitive personal information of 50k, 100k, or 200k consumers.
• Timing (§ 7121). Businesses must complete the first cybersecurity audit within two years of the effective date of the regulations. Subsequent audits are required annually.
• Audit Requirements (§ 7122). An independent auditor (internal or external to the business) must perform the annual cybersecurity audit using accepted procedures and standards.
• Auditors must not be involved in the development, implementation, or maintenance of the business’s cybersecurity program. Auditors cannot have prepared documents or participate in activities that may be reviewed in a cybersecurity audits.
• Internal auditors must report directly to the business’s board, governing body, or highest-ranking executive who does not have direct responsibility for the business’s cybersecurity program.
• Businesses must report audits to the board, governing body, or the highest-ranking executive who is responsible for cybersecurity, who must sign the audit and certify that the business has not influenced the audit.
• Audits must assess, document, and summarize each applicable component of an entity’s cybersecurity program, specifically identify any gaps or weaknesses in that program, and address the status of gaps or weaknesses identified in any prior audit.
• Audit Scope (§ 7123). Audits must assess and document any risks from cybersecurity threats that have “materially affected or are reasonably likely to materially affect consumers.”
• Businesses must assess and document “with specificity” 18 specified components of the business’s cybersecurity program, including authentication, encryption, zero-trust architecture, and access controls.
• If any of the specified components are not applicable, the business must document and explain why the component is not necessary to the business’s protection of personal information and how the business’s other safeguards provide at least equivalent security.
• Audits must address past cybersecurity incidents, including any notices made and mitigation measures taken.
• Businesses can use audits conducted under other laws if they document how they meet all of the CPPA regulations’ requirements.
• Notice of Compliance (§ 7124). Businesses must submit to the CPPA either: (1) a written certification of compliance with the audit requirements, or (2) a written acknowledgment of noncompliance, including identification of the areas of noncompliance and a remediation timeline.

Automated Decision-Making Technology (ADMT) Regulations

• Applicability Thresholds (§7001). Businesses that use ADMT must follow specific rules laid out in the regulations. ADMT includes “any system, software, or process—including one derived from machine-learning, statistics, other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making. ADMT includes profiling.”
• “Profiling” means any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
• Notice Requirements (§7017). Businesses must provide consumers with a “Pre-use Notice” informing consumers about the business’s use of ADMT and the consumer’s right to opt out of and to access information about the business’s use of ADMT.
• The notice must be readily available and be provided in the manner in which the business primarily interacts with the consumer prior to the processing of consumer personal information using ADMT.
• The notice must include: a plain language explanation of the purpose for which the business uses ADMT, a description of the right to opt out and how to submit an opt-out request, a description of the right to access information about the business’s use of ADMT, and a simple method by which consumers can learn additional information about the business’s use of ADMT.
• The additional information must include an explanation of the logic used by the ADMT, the intended output of the ADMT, how the business plans to use the output to make a decision, and whether the ADMT use has been evaluated for validity, reliability, and fairness and the outcome of such evaluation.
• Opt-Out Requirements (§7030). Businesses must provide consumers with the ability to opt out of certain ADMT uses, including: (1) decisions that produce legal or similarly significant effects concerning a consumer; (2) profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student; and (3) profiling a consumer while they are in a publicly accessible place.
• The CPPA will also consider other potential uses triggering opt-out rights, such as: profiling a consumer for behavioral advertising, profiling consumers known to be under the age of 16, and processing personal information to train ADMT.
• Businesses must provide two or more opt-out methods that are easy for consumers to execute and must require minimal steps. Businesses must not require consumers to create an account or provide unnecessary information to opt out.
• If the opt-out occurs before processing begins, the business must not process the consumer’s personal information using ADMT. If the opt-out occurs after processing has begun, the business must cease processing within a maximum of 15 days, or as soon as feasibly possible, and notify service providers to effectuate the opt-out.
• The opt-out can provide choices to allow specific uses of ADMT only if a single opt-out of all ADMT uses also is included.
• Exemptions (§7030). Businesses are not required to provide notice, opt-out ability, or access if the business’s use of the ADMT is “necessary to achieve, and used solely for” maintaining security, resisting fraud or illegal actions, protecting the safety consumers, or delivering the goods or services.
• Businesses claiming the delivery of service exemption must document that there is no “reasonable alternative method” to deliver the service without the use of ADMT.
• If the ADMT is used to profile a consumer for behavior advertising, the exemption will not apply.
• Access Requirements (§7031). Businesses that are required to provide an opt-out must also provide the consumer with access to information about the business’s use of ADMT.
• If a consumer requests such access, the business must provide the consumer with: (1) the purpose for which the business used ADMT; (2) the output of the ADMT with respect to the consumer; (3) how the business used the output to make a decision with respect to the consumer; (4) how the ADMT worked with respect to the consumer; (5) a method by which the consumer can obtain the range of possible outputs, (6) instructions for how the consumer can exercise their other CCPA rights; and (7) instructions for how to submit a complaint to business.
• If a business makes a decision resulting in the denial of goods or services that produces legal or similarly significant effects concerning the consumer, the business must notify the consumer to inform the consumer that the decision has been made, that the consumer has a right to access information regarding the business’s use of ADMT, how to exercise that right, and how to complain to the CPPA or attorney general.
• Additional Rules for Consumers Under 16 and 13 (§7070, §7071). The CPPA will consider whether businesses must provide an opt-in method for parents or guardians to consent to the profiling of consumers known to be under the age of 13 for behavioral advertising using ADMT. It will also consider whether consumers between the ages of 13 and 16 must be informed of their right to opt out in the future.

Risk Assessment Regulations

• Applicability Thresholds (§ 7150). Businesses required to conduct risk assessments include businesses whose processing of consumers’ personal information presents “significant risk to consumers’ privacy.”
• A significant risk includes: (1) selling or sharing (for cross-context behavioral advertising purposes) personal information, (2) processing sensitive personal information, (3) processing personal information of consumers known to be under the age of 16, or (4) using ADMT or training ADMT for certain purposes.
• Businesses must conduct a risk assessment if they use ADMT to: make a decision that produces legal or similarly significant effects concerning a consumer; profile a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student; profile a consumer while they are in a publicly accessible place; and profile a consumer for behavioral advertising.
• A “decision that produces legal or similarly significant effects concerning a consumer” means a decision that results in access to, or the provision or denial of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.
• Businesses must conduct a risk assessment if they process personal information to train ADMT for: any of the above four purposes of using ADMT, establishing individual identity based on biometric information; detecting faces, speech, or emotions; generating deep fakes; or operating generative models.
• Stakeholder Involvement (§ 7152). Businesses may rely on external parties in the execution of their risk assessment, such as service providers, contractors, and academics. If a business using ADMT has not consulted with external parties, it must include an explanation of why it did not do so and the safeguards it has implemented to address resulting risks to consumers’ privacy.
• Assessment Requirements (§ 7152). Assessments must include 14 components, including a summary of the processing and its purpose, the categories of personal information processed, the benefits to consumers, the negative impacts to consumers’ privacy, the safeguards to mitigate negative impacts, and whether the negative impacts outweigh the benefits.
• If the risks to consumers’ privacy outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public, the business must not engage in the processing of personal information. (§ 7155).
• Additional Disclosures for Using ADMT (§ 7153). If businesses use ADMT, the assessment also must include an explanation of: how the business evaluates the ADMT for validity, reliability, and fairness; the role and degree of any human involvement in the ADMT; and the plain language response the business will provide to a consumer requesting information about the business’s use of ADMT.
• Additional Disclosures for Training ADMT (§ 7154). If they process personal information to train ADMT and make the ADMT available for others to use, businesses must provide a plain language explanation of the purposes for which others may use the ADMT and any limitations on its use. This language also must be included in the assessment.
• If businesses process personal information to train ADMT and make the ADMT available to other businesses, they must provide all facts necessary so the recipient-business may conduct its own risk assessment.
• Timing and Retention (§ 7156). Businesses must conduct and document a risk assessment at least once every three years. If there is a material change to processing activities, the risk assessment must be updated. Risk assessments, regardless of findings, must be retained for five years.
• The CPPA will consider whether businesses that use or train ADMT should update their risk assessments relating to the ADMT annually, every two years, or every three years.
• Submissions (§ 7158). Businesses must complete the first risk assessment within two years of the effective date of the regulations. Subsequent assessments are required annually.
• Businesses must submit to the CPPA using the CPPA’s submission webpage: (1) a written certification of compliance with the risk assessment requirement and (2) an abridged form of the risk assessments conducted. Alternatively, businesses may choose to provide the full risk assessment to the CPPA.
• Businesses must make risk assessments available to the CPPA upon request.

For all regulations, service providers and contractors are required comply with applicable regulations and cooperate with covered businesses in conducting audits and risk assessments, assessing the use of ADMT, and implementing reasonable security practices. (§ 7150).

We will continue to monitor developments related to the CPPA rulemaking process, and in the interim, please visit MoFo’s CCPA/CPRA Insights page for additional information.

Carson Martinez, an Associate in Morrison Foerster’s Boston office, contributed to the writing of this alert.