Key point: At its July 24 board meeting, the California Privacy Protection Agency Board authorized agency staff to finalize regulations on automated decision-making technology, risk assessments, cybersecurity audits, insurance, and changes to the existing regulations.
At its July 24 meeting, the California Privacy Protection Agency Board authorized agency staff to finalize and submit to the Office of Administrative Law the rulemaking package on various new California Consumer Privacy Act (CCPA) regulations. The new regulations are on automated decision-making technology, risk assessments, cybersecurity audits, insurance, and changes to existing regulations.
In this article, we provide an overview of some of the more notable aspects of the regulations. We also will be hosting a two-part webinar series on August 21 and September 25 to provide a more in-depth analysis of the regulations. Click here for more information and to register.
Cybersecurity Audits
Applicability
The regulations require businesses to conduct cybersecurity audits when there is a “significant risk to consumers’ security.” The regulations further specify that such a risk exists if (1) the business derives 50% or more of its annual revenues from selling or sharing consumers’ personal information or (2) the entity qualifies as a business under the CCPA’s annual gross revenue threshold (currently $26.625 million) and either processes the personal information of 250,000 or more consumers or households in the preceding calendar year or processes the sensitive personal information of 50,000 or more consumers in the preceding calendar year.
Timing
The regulations create a gradual implementation for when businesses must complete cybersecurity audits based on their annual gross revenue:
Certificate of Completion
Businesses will need to submit a written certification annually to the agency that they completed the cybersecurity audit. The certification needs to be completed by a member of the business’s executive team who is directly responsible for cybersecurity compliance, has sufficient knowledge to provide accurate information, and who has the authority to submit the certification.
Scope
The regulations also set forth the scope of the cybersecurity audit and report. The audit can be conducted internally or externally so long as the audit is objective and impartial. The business also must make available to the auditor all information necessary to conduct the audit.
The audit is required to assess numerous aspects of the business’s cybersecurity program, including written documentation, authentication protocols, use of encryption, access controls, data inventories, data maps, data classification policies, asset inventories, penetration testing, audit log management, retention schedules, and cybersecurity training, among many others.
In turn, the report must, among other things, describe the business’s information systems and the information covered in the audit’s scope. It must identify and document any gaps or weaknesses found in the audit that the auditor believes increases the risk of a data breach and how the business plans to address them.
Importantly, a business may satisfy this requirement by using a cybersecurity audit, assessment, or evaluation that it prepared for another purpose so long as it addresses all of the requirements of the regulations or is supplemented to do so. “For example, a business may have engaged in an audit that uses the National Institute of Standards and Technology Cybersecurity Framework 2.0 and meets all of the requirements of this Article.”
Risk Assessments
When Required
Businesses are required to conduct risk assessments if their processing of consumers’ personal information presents a “significant risk to consumers’ privacy.” The regulations identify six processing activities that trigger the risk assessment requirement:
- Selling or sharing personal information.
- Processing sensitive personal information (with certain exceptions for the processing of employee sensitive personal information).
- Using automated decision-making technology (ADMT) for a significant decision concerning a consumer.
- Using automated processing to infer or extrapolate certain information regarding a consumer such as intelligence, aptitude, health, or personal preferences, based on systematic observation of the consumer in a work or education setting.
- Using automated processing to infer or extrapolate certain information regarding a consumer such as intelligence, aptitude, health, or personal preferences, based on the consumer’s presence in a sensitive location.
- Processing the personal information of consumers, which the business intends to use to train an ADMT for a significant decision concerning a consumer; or train a facial-recognition, emotion-recognition, or other technology that verifies a consumer’s identity, or conducts physical or biological identification or profiling of a consumer.
Scope
The purpose of the risk assessment is to determine whether the risks of the processing activity outweigh the benefits to the consumer, business, public, and other stakeholders. The regulations set forth several pages of requirements but, in short, the risk assessment needs to document (1) the processing activity (e.g., what personal information is collected and how much, how it will be used, how long it will be retained, and whether it will be shared with others), (2) the benefits to the business, consumer, public, and other stakeholders, (3) the negative impacts, and (4) any safeguards the business intends to implement to address any negative impacts.
If a business makes ADMT trained using personal information available to another business to make a significant decision concerning consumers, the business must provide the recipient-business with information necessary for it to conduct its own risk assessment.
Timing
For processing activities that predate the regulations but continue after their effective date, businesses will need to complete risk assessments no later than December 31, 2027. Businesses must otherwise conduct risk assessments prior to initiating the subject processing activity. Risk assessments must be reviewed and updated at least once every three years or if there is a material change in the processing activity.
Submission to Agency
The regulations create an accountability system whereby businesses need to submit basic information regarding their risk assessments to the agency on an annual basis. The regulations phase in this requirement starting in 2028. Specifically, no later than April 1, 2028, businesses need to submit information to the agency regarding the risk assessments they conducted in 2026 and 2027. For risk assessments after 2027, businesses will need to submit the information to the agency by April 1 of the following year.
The information required to be submitted to the agency includes the business’s contact information, the time period covered by the submission, the number of risk assessments covered or updated during the time period, whether the processing activity involved the processing of certain types of personal information, and an attestation.
Prior versions of the regulations would have required businesses to submit an abridged version of the risk assessments but that requirement was dialed back in the final draft. However, the agency and attorney general retain the right to request risk assessment reports on thirty days’ notice.
ADMT
Scope
The scope of the ADMT regulations changed significantly over the various drafts. Ultimately, the regulations apply to “ADMT to make a significant decision concerning a consumer.”
The regulations define ADMT to mean “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.”
The regulations define “substantially replace human decisionmaking” to mean “a business uses a technology’s output to make a decision without human involvement. Human involvement requires the human reviewer to: (A) Know how to interpret and use the technology’s output to make the decision; (B) Review and analyze the output of the technology, and any other information that is relevant to make or change the decision; and (C) Have the authority to make or change the decision based on their analysis in subsection (B).”
ADMT is defined to include profiling but to exclude certain activities like web hosting, data storage, and firewalls, to name a few.
Profiling is defined as “any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s intelligence, ability, aptitude, performance at work, economic situation, health, including mental health, personal preferences, interests, reliability, predispositions, behavior, location, or movements.”
Finally, “significant decision” is defined as “a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or
independent contracting opportunities or compensation, or healthcare services.” The regulations contain follow-on definitions of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, and health care services.
The regulations specifically state that “significant decision” does not include advertising to a consumer.
In general, the scope of the ADMT rules was narrowed during the revision process. For example, the regulations no longer cover profiling of consumers through systematic observation of a publicly available place and profiling a consumer for behavioral advertising. The agency also removed the definition, and any reference to, artificial intelligence from the regulation. That said, at the July 24 board hearing, many tech advocates argued the regulations were still overbroad (while privacy advocates argued they were too narrow).
Timing
Businesses that use ADMT for significant decisions prior to January 1, 2027, must comply with the regulations by January 1, 2027. Businesses that use ADMT for significant decisions after January 1, 2027, must comply with the regulations moving forward.
Pre-Use Notice
Businesses that use covered ADMT are required to provide consumers with a pre-use notice. The notice must inform consumers of the business’s use of ADMT and the consumer’s right to opt out and access ADMT. The notice can be provided in the business’s notice at collection.
The regulations set forth the notice’s contents, including (but not limited to) how the business will use ADMT, that the consumer has a right to opt out or appeal and how they can do so, and that they have a right to access ADMT and how they can submit their request.
Right to Opt Out/Appeal
Businesses that use ADMT to make significant decisions must provide consumers with the right to opt out. However, businesses do not have to provide an opt out if they allow consumers to appeal decisions to a human reviewer who has authority to overturn the decision and subject to certain procedural requirements. Businesses also do not need to provide a right to opt for certain types of limited work-related decisions subject to the business complying with specific requirements.
Right to Access ADMT
Businesses that use ADMT to make significant decisions concerning consumers must allow consumers to request certain information. This includes the business’s purpose for using ADMT and the outcome of the decision-making process for the consumer, including how the business used ADMT to make the significant decision.
As with the CCPA’s other rights, the regulations provide extensive details for how businesses must accept and respond to rights to opt out/appeal and access.
Insurance Companies
The new regulation on insurance companies is brief. It provides that insurance companies — as defined in Section 791.02 of the Insurance Code — that meet the definition of “business” under the CCPA shall comply with the CCPA with regard to any personal information not subject to the Insurance Code and its regulations.
Changes to Existing Regulations
Below are some of the more notable changes made to the existing regulations.
Cookie Banners
The new regulations provide some additional context on how to structure cookie banners to properly obtain consent. Specifically, the regulations state that a “consumer closing or navigating away from a pop-up window on a website that requests consent without first affirmatively selecting the equivalent of an “I accept” button shall not constitute consent. Such a method for obtaining consent is confusing to the consumer.”
Privacy Policies
The new regulations make a few tweaks to the privacy policy requirements. Among other things, the regulations clarify that privacy policies must identify the categories of personal information that businesses disclose to service providers or contractors for a business purpose. The regulations previously referred to disclosures to third parties.
Alternative Opt-out Link
The regulations now provide that a business can change the color of the opt-out icon “to ensure that it is conspicuous. “For example, if the webpage background is the same color of blue as the icon, the business may invert or change the colors of the icon to ensure visibility.”
Requests to Know
Businesses that retain information for longer than 12 months will need to include a method for consumers to submit requests to know information prior to the last 12 months and dating back to January 1, 2022.
Opt-Out Preference Signal
Under the current rules, businesses may (but are not required to) display whether they have recognized a consumer’s opt-out preference signal. That requirement becomes mandatory.
Large Data Holder Disclosures
Businesses that are subject to the large data holder disclosure obligations will also need to provide disclosures around their processing of ADMT requests to access and opt out.
