The California Privacy Protection Agency has been hard at work since its creation in 2021. It has been raising general awareness of the California Consumer Privacy Act (CCPA), hiring staff in order to begin enforcement, and drafting new regulations that have a big impact on CCPA compliance.
In recent months, the Agency’s regulatory efforts have been focused on two key areas: cybersecurity audits and risk assessments. The CCPA itself requires the Agency to create these regulations, and also gives it a great amount of leeway in deciding how to do so. For these reasons, the business community has been eagerly awaiting news of what the regulations might look like.
Though the new rules are only in the draft stage and are far from finalized, they do give us a general idea of what to expect.
tl;dr: Larger businesses would be required to perform in-depth cybersecurity audits on annual basis.
Though it’s often overlooked, cybersecurity is an important part of CCPA compliance. Businesses have a duty to implement and maintain “reasonable security procedures and practices”; if a business fails to do so and this results in a data breach, it can actually be sued under the CCPA for up to $750 per consumer whose data is affected.
In order to ensure greater security of consumers’ data, the Agency is introducing rules concerning mandatory cybersecurity audits. The proposed audits would be quite substantial, and in recognition of this the Agency is seeking to limit their application based on the size of the business. It has proposed a few different options for when these audits would be required, but seems to be leaning toward something like this:
The business has annual gross revenues in excess of $25 million in the preceding calendar year AND
All of the numbers included here are still up for debate, as the Agency has yet to finalize a draft, but they give a general idea of the regulators’ current thinking.
The audits themselves must be very thorough and be carried out by a qualified and independent professional, though the auditor can be someone who works at the business. The exact nature of the audit will vary from business, based on factors such as the nature of its processing and the risk to consumers. The rules do suggest a number of safeguards that businesses should consider, including:
In case businesses are thinking they may skate by without actually performing a cybersecurity audit because no one will know, the proposed rules require businesses to submit an annual certification stating that they have fulfilled their obligations.
Read the full proposed regulations on cybersecurity audits
tl;dr: Proposed rules would expand on the assessments already required by other states, both in what triggers the need for an assessment and the content of the assessments themselves.
Risk assessments are not new or unique to California; privacy laws from several other states such as Virginia, Connecticut, and Colorado already require businesses to carry out risk assessments in certain situations. Compliance experts have been waiting to see whether the scope of the risk assessments required in California would match closely to other states’ requirements, specifically those of Colorado, as it is the only other state to have provided much detail on this area of compliance.
Businesses may be somewhat disappointed to learn that the proposed rules are not identical to the requirements of other states. There is a longer list of processing activities that would trigger a risk assessment, and the assessments themselves also have several additional requirements not found in other states. That is to say, a business that has already performed a risk assessment according to Colorado’s rules may not be able to rely on that assessment meeting California’s new requirements. On the other hand, a risk assessment that meets California standards will likely satisfy the requirements of other states.
Here is proposed list of processing activities that would trigger the need for a risk assessment:
As to the assessment itself, draft regulations go into some detail about what it must include:
The Agency has also proposed numerous additional requirements for assessments regarding automated decisionmaking technology and the training of AI.
Businesses will be required to annually submit abridged copies of their risk assessments to the Agency, along with a signed certification by an executive stating that the business has fulfilled its obligations.
Read the full proposed regulations on risk assessments
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
