AI and Audits: Proposed CCPA Regulations Up for Discussion

Kathryn Rattigan
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

On September 8, 2023, the California Privacy Protection Agency (CPPA) will discuss the two new sets of proposed California Privacy Protection Act (CCPA) regulations. Here is a breakdown of the two new proposed regulations and issues up for discussion:

Auditing Requirements: If a business processes data that poses a “significant risk to consumers’ security” then the business must complete an annual cybersecurity audit using an independent auditing professional and file a statement of compliance with the CPPA. The auditor(s) may be internal but the findings must be reporting to the board. Further, these audits must take into account multifactor authentication, encryption and zero-trust architecture. The CPPA will discuss the “significant risk” standard at its upcoming meeting.

AI and Automated Decision-Making Risk Assessments: If businesses use AI systems to make decisions, it must conduct regular and thorough risk assessments considering potential negative impacts to consumers as a result of using such technology. The negative impacts could range from economic harm to reputational and psychological harm. Businesses that do any of the following would be subject to the CCPA:

  • Selling or sharing personal information
  • Processing sensitive personal information
  • Using automated decision-making technology in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities
  • Processing the personal information of consumers that the business has actual knowledge are less than 16 years of age
  • Processing the personal information of consumers who are employees, independent contractors, job applicants, or students using technology to monitor employees, independent contractors, job applicants, or students.
  • Processing the personal information of consumers in publicly accessible places using technology to monitor consumers’ behavior, location, movements, or actions.
  • Processing the personal information of consumers to train AI or automated decision-making technology

If your business is subject to the CCPA and it processes data as set forth in the proposed regulations, you should track these changes closely. If your business has not yet assessed its applicability, now is the time to do so. We will monitor these new regulations closely.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide