Privacy & Information Security Law Blog

On August 29, 2023, the California Privacy Protection Agency (“CPPA”) Board issued draft regulations on Risk Assessment and Cybersecurity Audit (the “Draft Regulations”). The CPPA Board will discuss the Draft Regulations during a public meeting on September 8, 2023.

In issuing the Draft Regulations, the CPPA Board makes clear that it has not yet started the formal rulemaking process for cybersecurity audits, risk assessments or automated decision-making technology, and that these Draft Regulations are intended to facilitate Board and public discussion and are subject to further changes. Nevertheless, the Draft Regulations provide insights into the type of requirements companies may be expected to comply with in the future.

Key highlights of the Draft Regulations include:

Draft Risk Assessment Regulations

• New definitions for “Artificial Intelligence” and “Automated Decision-Making Technology”;
• Examples of processing activities that present significant risk to consumers’ privacy and warrant a risk assessment;
• Illustrative examples of when a business must conduct a risk assessment;
• Content requirements for risk assessments;
• Additional requirements for businesses using automated decision-making technology or processing personal information to train artificial intelligence or automated decision-making technology; and
• Requirements to submit risk assessments to the CPPA.

Draft Cybersecurity Audit Regulations

• The categories of businesses required to complete cybersecurity audits;
• Detailed requirements for conducting cybersecurity audits; and
• Requirements to submit a notice of compliance to the CPPA, including either (1) a written certification that the business has complied with the regulatory requirements during the 12-month period that the audit covers, or (2) a written acknowledgement that the business did not fully comply with the regulatory requirements during the 12-month period the audit covers, identifying areas of noncompliance and providing a remediation timeline or confirmation that remediation has been completed.

Notably, the CPPA did not release draft regulations relating to automated decision-making, which is another topic the CPPA intends to regulate alongside risk assessments and cybersecurity audits.

The public meeting, which will feature a discussion of the Draft Regulations, will begin on September 8, 2023 at 9:00 a.m. PDT.