California Privacy Protection Agency Advances Regulations on Automated Decision-Making and Cybersecurity

The California Privacy Protection Agency (CPPA) is poised to take significant steps in regulating the use of automated decision-making technology (ADMT) and enhancing cybersecurity measures in the state. At its upcoming board meeting on November 8, 2024, the CPPA will advance rulemaking that aims to impose restrictions on ADMT and require businesses to conduct cybersecurity audits and risk assessments. This initiative marks a culmination of over two years of deliberation, stakeholder engagement, and public commentary, reflecting California’s commitment to consumer privacy and data protection.

The Authority of the CPPA

The California Consumer Privacy Act (CCPA) grants the CPPA the authority to issue regulations concerning cybersecurity audits, risk assessments, and ADMT. However, the specifics of these regulations have remained largely undefined, creating a gap compared to other state privacy laws that provide consumers with rights to opt out of automated profiling and mandate the documentation of Data Protection Impact Assessments (DPIAs). California stands out as one of only three states—alongside Colorado and New Jersey—that has granted such extensive rulemaking authority to its privacy agency, allowing the CPPA to shape the state’s approach to these critical issues.

Proposed Regulations on Automated Decision-Making Technology

The CPPA’s proposed regulations on ADMT are designed to enhance transparency and consumer rights. The regulations would be triggered in three primary scenarios:

1. Significant Decisions: Businesses using ADMT to make significant decisions affecting consumers—such as access to financial services, housing, or employment—will be required to provide an adverse decision notice to consumers before denying opportunities or services.

2. Extensive Profiling: The regulations will also apply to businesses that engage in extensive profiling of consumers through automated processing, particularly in contexts like employment, education, or behavioral advertising.

3. Training ADMT: The use of ADMT for generating significant decisions, establishing individual identity, or creating deepfakes will also fall under these regulations. Deepfakes are defined as manipulated or synthetic content presented as authentic without the consumer’s knowledge.

Under these rules, consumers will receive notifications about the use of ADMT, a limited right to opt out, and access to information regarding how their data is processed and utilized.

Limitations on Opt-Out Rights

While the regulations provide consumers with the right to opt out of ADMT, there are notable exceptions. For instance, if a consumer is offered an opportunity to appeal a significant decision to a human reviewer, the right to opt out may not apply. Similarly, in workplace or educational contexts, the right to opt out may be limited if the business conducts evaluations to ensure the accuracy and non-discriminatory nature of the ADMT.

Mandatory Risk Assessments

In a bid to enhance consumer privacy, the CPPA proposes that businesses processing personal information posing significant risks must conduct risk assessments. These assessments will evaluate whether the risks to consumer privacy outweigh the benefits to the business and other stakeholders. The types of activities that may trigger this requirement include:

• Selling or sharing personal information.
• Processing sensitive personal information.
• Making significant decisions or extensive profiling using ADMT.

The proposed regulations outline specific information that must be included in the risk assessments, such as processing details, expected benefits, potential negative impacts on consumer privacy, and safeguards against these impacts. Businesses will be required to submit their risk assessments within 24 months of the regulations’ effective date and annually thereafter, with a written certification from a high-ranking executive responsible for compliance.

Cybersecurity Audits

Another critical component of the proposed regulations is the requirement for businesses to conduct cybersecurity audits. These audits will assess the effectiveness of a company’s cybersecurity program, identifying gaps and weaknesses. Businesses will need to engage a qualified, independent auditor to conduct these assessments, ensuring that internal auditors report directly to the board of directors to maintain independence.

Covered businesses will be required to complete their first cybersecurity audit within 24 months of the regulations’ effective date and continue to conduct these audits annually. Notably, only businesses that derive a significant portion of their revenue from selling or sharing personal information, or those that meet specific consumer data thresholds, will be mandated to conduct these audits.

Reclassifying Children and Teen Data

The CPPA also plans to reclassify personal information of consumers under 16 years of age as "sensitive personal information." This change aims to enhance protections for minors, allowing them to opt out of the use or disclosure of their personal information when it is used to infer characteristics about them. This proposal seeks to align California’s regulations with other state laws that treat personal data of children under 13 as sensitive.

Updates to Privacy Rights Requests

The CPPA’s proposed regulations will also modify the process for submitting and responding to privacy rights requests. Key changes include:

• Toll-Free Requests: Businesses requiring consumers to call a toll-free number for CCPA requests must ensure that staff are adequately trained to handle these requests.
• Look-Back Period: Consumers will be allowed to request personal information collected beyond the previous 12 months.
• Denial Notice Disclosure: Denial notices for privacy rights requests will need to include information on how consumers can file complaints with the CPPA or the California Attorney General.

Next Steps in the Rulemaking Process

The CPPA is set to vote on initiating formal rulemaking at its November 8, 2024, board meeting. Following this vote, the public will have a 45-day window to submit comments on the proposed regulations. The CPPA will then review these comments and finalize the regulations, which will take effect based on the timing of their filing with the California Secretary of State.

In a recent ruling, the California 3rd District Court of Appeals confirmed that CPPA regulations take effect immediately upon filing, eliminating the need for a one-year waiting period. This means that once finalized, the new regulations could be implemented as early as January 1, 2025.

Conclusion

The CPPA’s upcoming rulemaking represents a significant step forward in California’s efforts to enhance consumer privacy and data protection. By imposing restrictions on automated decision-making technology, requiring cybersecurity audits, and updating compliance obligations, the agency aims to create a more transparent and secure digital environment for consumers. As these regulations move closer to implementation, businesses will need to prepare for the new landscape of privacy compliance in California.