by Beth Burgin Waller and Patrick J. Austin
For businesses subject to California Consumer Privacy Act (CCPA), privacy compliance just became urgent. A California appellate court agreed on February 9, 2024 with the California Privacy Protection Agency (CPPA) that there is no statutory requirement for a one-year gap between approval of privacy regulations and enforcement of those regulations. Overturning a stay of enforcement at the trial court level, the California appellate court held that CCPA regulations can be enforceable upon finalization. This means for businesses subject to the CCPA, there is no ramp-up period between new regulations being finalized and the agency enforcing those new regulations.
The CPPA’s Deputy Director of Enforcement publicly stated on Friday, “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”
Possible New Regulations
The California Privacy Protection Agency is currently considering a litany of new regulations in the areas of risk assessments, cybersecurity audits, and automated decision-making technology.
Below is a general overview of the proposed regulations. These regulations have not been finalized and are subject to change as they proceed through California’s formal rulemaking process. However, the following highlights the regulations as they currently stand.
Cybersecurity Audit Regulations
The proposed cybersecurity audit regulations would require certain businesses to conduct security audits when processing consumer personal information presents “significant risk” to the security of consumers.
A significant risk is found if the business: (1) derives at least 50% of their revenue from selling or sharing (for cross-context behavioral advertising purposes) consumers’ personal information, or (2) meets certain not-yet-released thresholds based on the volume and sensitivity of personal information processed by the business.
- Two-year window for initial audit: Businesses would be required to complete an initial cybersecurity audit within two years of the effective date of the regulations. Subsequent cybersecurity audits would then be required on an annual basis.
- Use of an “independent” auditor: The proposed regulations require businesses to utilize an independent auditor (either internal or external to the business) to perform the annual cybersecurity audit. In addition, the auditor must use “accepted procedures and standards.” Audits must assess, document, and summarize each applicable component of the business’s cybersecurity program, including identifying any gaps or weaknesses in said program. In addition, the audit must address the status of gaps or weaknesses identified in any prior audit.
- Signature and certification of cybersecurity audit: Businesses must report audits to the board, governing body, or the highest-ranking executive who is responsible for cybersecurity. This executive must formally sign the audit and certify that the business has not influenced the audit.
- Submission to the CPPA: Businesses must submit to the CPPA either: (1) a written certification of compliance with the audit requirements, or (2) a written acknowledgment of noncompliance, including identification of the areas of noncompliance and a remediation timeline.
Automated Decision-Making Technology (ADMT) Regulations
The scope of what’s considered ADMT under the proposed regulations (pdf) includes “any system, software, or process—including one derived from machine-learning, statistics, other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making.”
Businesses using this type of technology would be obligated to provide consumers with the following:
- a notice specifically alerting consumers that the business uses ADMT
- a right to opt out of certain uses of ADMT
- a right to access certain information about the business’s use of ADMT, in addition to an affirmative obligation for businesses to provide a notice to consumers of an adverse action using ADMT (under certain circumstances)
Businesses would also be required to conduct risk assessments for certain types of ADMT uses.
Risk Assessment Regulations
Under the CPPA’s proposed risk assessment regulations, businesses would be required to conduct a risk assessment if they process consumers’ personal information in such a way that it presents a “significant risk” to the privacy or security of consumers.
The draft regulations state a “significant risk” may arise when selling or sharing personal information, processing sensitive information, using technology to monitor consumer behavior, and using automated decision-making technology.
- Risk assessment components: The draft regulations provide a general outline of what components must be included in a proper assessment. Those components include explaining what is being collected, how the information is being used, why the processing is needed, the benefits to the business and consumer, and negative impacts on the consumer.
- “Regular basis” requirements: The proposed regulations would obligate businesses to conduct and submit risk assessments to the CPPA on a “regular basis.” There is also a proposed annual submission schedule in the draft regulations. Furthermore, there is a provision stating that these assessments would need to be submitted to the state attorney general “upon request.”
Recommendations for Improving CCPA Compliance Posture
As you can see, getting compliant with the CCPA and its laundry list of regulatory requirements can be challenging. Nevertheless, there are specific steps that can be taken proactively to help improve the CCPA compliance posture of your business. Those steps include:
- Establish a data privacy team or data privacy specialist in your organization: This role should focus on CCPA and other applicable compliance standards surrounding data protection. For example, if your business has a presence in multiple states with different consumer data privacy laws, your team, or individual, will need to develop a matrix for monitoring and complying with different statutory and regulatory obligations.
- Create a data map: It is imperative to inventory your current set of collected data to properly determine what must be protected. Understanding how data is collected and its flow from system to system provides a roadmap that can help when responding to consumer requests, complying with data minimization and retention obligations, and more.
- Conduct a risk assessment: During a risk assessment, the organization will discover the systems that store this data to create strategies that include unknown infrastructure.
- Define policies and governance over personal data: Such policies should oversee consumer data mitigation and monitoring, including vendor access and supply chain risk management.
- Train employees on data privacy compliance: Businesses should properly train employees on notable provisions within the CCPA and other applicable data privacy laws. This training is especially critical for employees in customer-facing roles.
Beth Burgin Waller is a Principal and Patrick J. Austin is Of Counsel at Woods Rogers Vandeventer Black PLC.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).