CPPA Issues Draft CPRA Regulations on Risk Assessment and Cybersecurity Audit

by Lisa Sotto and Sam Grogan 

Photos of the authors

Lisa Sotto and Sam Grogan (photos courtesy of the authors)

On August 29, 2023, the California Privacy Protection Agency (“CPPA”) Board issued draft regulations on Risk Assessment and Cybersecurity Audit (the “Draft Regulations”). The CPPA Board will discuss the Draft Regulations during a public meeting on September 8, 2023.

In issuing the Draft Regulations, the CPPA Board makes clear that it has not yet started the formal rulemaking process for cybersecurity audits, risk assessments or automated decision-making technology, and that these Draft Regulations are intended to facilitate Board and public discussion and are subject to further changes. Nevertheless, the Draft Regulations provide insights into the type of requirements companies may be expected to comply with in the future.

Key highlights of the Draft Regulations include:

Draft Risk Assessment Regulations

  • New definitions for “Artificial Intelligence” and “Automated Decision-Making Technology”;
  • Examples of processing activities that present significant risk to consumers’ privacy and warrant a risk assessment;
  • Illustrative examples of when a business must conduct a risk assessment;
  • Content requirements for risk assessments;
  • Additional requirements for businesses using automated decision-making technology or processing personal information to train artificial intelligence or automated decision-making technology; and
  • Requirements to submit risk assessments to the CPPA.

Draft Cybersecurity Audit Regulations

  • The categories of businesses required to complete cybersecurity audits;
  • Detailed requirements for conducting cybersecurity audits; and
  • Requirements to submit a notice of compliance to the CPPA, including either (1) a written certification that the business has complied with the regulatory requirements during the 12-month period that the audit covers, or (2) a written acknowledgement that the business did not fully comply with the regulatory requirements during the 12-month period the audit covers, identifying areas of noncompliance and providing a remediation timeline or confirmation that remediation has been completed.

Notably, the CPPA did not release draft regulations relating to automated decision-making, which is another topic the CPPA intends to regulate alongside risk assessments and cybersecurity audits.

The public meeting, which will feature a discussion of the Draft Regulations, will begin on September 8, 2023 at 9:00 a.m. PDT.

Lisa Sotto is a Partner at Hunton Andrews Kurth and Sam Grogan is a Global Privacy Policy Analyst at the Centre for Information Policy Leadership. This post first appeared on Hunton Andrews Kurth’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).

Share this post:

Share on PinterestShare on LinkedInShare on Reddit