California continues to push beyond other states in developing and implementing privacy and cybersecurity regulations. The latest evidence came from the recent release of draft regulations from the California Privacy Protection Agency (CPPA), California’s consumer privacy regulator, and a subsequent lengthy hearing on December 8, 2023. The CPPA provided a long-awaited first draft of regulations related to artificial intelligence (AI) as well as recent revisions to its proposed cybersecurity audit and risk assessment regulations.

Here are some key takeaways:

AI/ADT Regulations

The California Consumer Privacy Act (CCPA) seeks to regulate AI, defined as automated decision-making technology (ADT). The regulations define ADT as any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or AI—that processes personal information and uses computation as a whole or part of a system to make or execute a decision or facilitate human decision-making.

ADT includes “profiling,” which is defined as any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning the natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

The CPPA board voiced concerns over the broad scope of the definitions of ADT and profiling and would like to see attempts to limit both.

The draft regulations suggest that thresholds for required notice, opt-out, and access requirements would be determined by the following uses of ADT:

• Decision that produces legal or similarly significant effects concerning a consumer;
• Profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student;
• Profiling a consumer while they are in a publicly accessible place;
• Profiling a consumer for behavioral advertising (with opt-in for consumers under 16);
• Profiling a consumer that the business has actual knowledge is under the age of 16; and
• Processing personal information of consumers to train ADT.

Certain exceptions to the opt-out and access rights such as security, fraud prevention, safety, or no reasonable alternative method of processing have been proposed. As to the last on the list, the CPPA board expressed a desire to limit that exception, as currently proposed, moving forward.

The draft framework also currently allows employees to opt out, but some members of the board disagreed with this.

Cybersecurity Audit Regulations

The subcommittee is still determining the threshold combination for cybersecurity audits but is proposing a $25-million annual revenue threshold as well as the amount of personal information being processed. The regulations currently set the threshold (for covered businesses to be required to conduct cybersecurity audits) at:

1. Processing the personal information of at least 250,000 consumers in the preceding calendar year;
2. Processing the sensitive personal information of at least 50,000 consumers in the preceding calendar year; or
3. Processing the personal information of 50,000 or more consumers that the business had actual knowledge were younger than 16 years of age in the preceding calendar year.

The scope of the cybersecurity audit is broad, likely to be costly, and not merely a “check-the-box” exercise for covered businesses. Businesses may be required to assess the negative impacts associated with unauthorized access and disclosure of personal information such as economic, physical, psychological, and reputation harm to consumers. This is likely to be a focus for the subcommittee’s next draft of the regulations.

Risk Assessments

Covered businesses will also need to conduct risk assessments each time their processing of a consumer’s personal information presents a “significant risk to the consumer’s privacy”. The proposed regulations list (1) selling or sharing personal information and (2) processing sensitive personal information (except for employee/HR data) as activities that present significant risks. They also label the following activities using ADT, or to train ADT, as significant risks to consumer privacy:

• Decisions that produce legal or similarly significant effects concerning a consumer;
• Profiling a consumer acting as an employee, independent contractor, job applicant, or student;
• Profiling for behavioral advertising;
• Establishing individual identity on the basis of biometric information;
• Facial, speech, or emotion detection;
• Generating deep fakes;
• Profiling consumers while they are in a publicly accessible place; or
• Operation of generative models.  

The proposed regulations currently require businesses to submit their first risk assessment 24 months after the effective date of the regulations. The CPPA board expressed a desire to reduce the timing for businesses to begin conducting and updating their initial risk assessments. After the first submission, a business will make similar submissions annually.

The proposed regulations also allow the CPPA board to request risk assessments, which must be submitted within 5 business days. Some board members expressed concerns that the timeline for submission was too short. The CPPA board also requested that the subcommittee add the Attorney General as another party that may request risk assessments. Additionally, the CPPA board wanted the subcommittee to consider requiring that businesses send the CPPA a notice when they are changing techniques, compliance process, and/or strategy.

The CPPA board lastly discussed potentially adding a section for businesses that are already compliant with the General Data Protection Regulation (GDPR) that would outline what additional requirements are needed to comply with the future California risk assessment regulations.

Conclusion

The CPPA board approved the proposed cybersecurity audit regulations to proceed to formal rulemaking, where the subcommittee will streamline and clean up the language before it returns to the board for review one final time before being available for public comment. As to the risk assessment and ADT regulations, the CPPA has directed the subcommittee to continue working on a new draft for the board to review. There were speculations by board members that the cybersecurity audit regulations may be ready for a final rulemaking package by the second or third quarter of 2024.