On December 8, the California Privacy Protection Agency (CPPA or “the Agency”) held a public Board meeting to discuss a range of topics, including proposed regulations on cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT), proposed revisions to existing regulations implemented pursuant to the California Consumer Privacy Act (CCPA), proposed regulations that would clarify the application of the CCPA to certain data processing activities of insurance companies, and a proposal to support legislation requiring browser vendors to include native support for opt-out preference signals.

The majority of the meeting focused on the Agency’s proposed cybersecurity audit, risk assessment, and ADMT regulations. After lengthy discussions on all three proposals, the Board voted to move the cybersecurity audit regulations towards the formal rulemaking process, but elected to have Agency staff revise the risk assessment and ADMT regulations for further discussion at a future Board meeting. The discussions on these proposals highlighted themes — such as the scope of the regulations and their associated compliance burdens — that are likely to recur as these proposed regulations continue to move towards formal rulemaking, public comment, and enactment.

In this post, we summarize key takeaways from this month’s CPPA Board meeting. 

Key Takeaways

1. Rulemaking Progress: The Board authorized Agency staff to prepare several sets of regulations for advancement into the formal rulemaking process (which will include a 45-day public comment period). These included the proposed cybersecurity audit regulations, revisions to the already-implemented CCPA regulations, and proposed regulations that would clarify the application of the CCPA to certain data processing activities of insurance companies. In contrast, the Board decided to continue internal deliberations on the risk assessment and ADMT regulations, requesting that Agency staff revise these proposals in line with the December 8 discussion and additional Board member inputs and circulate revised versions for discussion at a future Board meeting.

2. Scope of Regulations: The scope of the proposed cybersecurity audit, risk assessment, and ADMT regulations has been a recurring point of contention throughout the informal rulemaking process, and this month’s Board meeting was no exception. The discussion on this topic largely focused on three areas:

• Breadth of ADMT Definition: Board members and public commenters repeatedly raised concerns about the breadth of key definitions in the proposed regulations. These concerns centered primarily on the definition of ADMT, which plays a key role in delineating the reach of the ADMT and risk assessment regulations. Currently, these regulations define ADMT as “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.” Critical Board members and public commenters argued that this definition is so broad that it would essentially encompass any type of software or algorithm, raising the specter of businesses being required to, for example, conduct a risk assessment before buying an off-the-shelf software product. As noted above, both the ADMT and risk assessment regulations will be revised by Agency staff and discussed again at a future meeting, meaning that we may see a narrowing of this definition in future drafts.  

• Topics Addressed in Cybersecurity Audits and Risk Assessments: Board members also expressed some consternation at specific topics currently required to be included as part of the cybersecurity audits and risk assessments. For instance, several Board members critiqued the cybersecurity audit regulations’ provision defining the evaluation of psychological harms to consumers as within the scope of cybersecurity audits, positing that such evaluations would be outside the expertise of information security professionals and potentially invite lawsuits, given recent litigation filed in relation to California’s Age-Appropriate Design Code Act. Board members expressed similar concerns about the risk assessment regulations’ requirement that businesses assess constitutional harms as part of their consideration of the negative impacts associated with a given data processing activity, arguing that such analysis would lie outside the scope of a business’s expertise.

• Employee Opt-Outs for ADMT: Board members also raised concerns about the possibility of employees relying on the ADMT regulations to opt-out of standard human resources and performance-related monitoring. One Board member, for example, noted that, while most people would probably agree that ADMT should not be used for such ends as identifying employees that are engaged in labor organizing or suffering from health problems, ADMT could legitimately be used to assess various performance metrics (e.g., determining whether delivery truck drivers are running red lights or how many calls a call-center employee is completing per hour).

3. Burdens on Businesses. A desire to reduce compliance burdens associated with the proposed regulations was another consistent theme throughout the public meeting. Board members repeatedly flagged provisions — ranging from response timeframes to required analyses to mandated government reporting —   that threatened to impose onerous compliance costs on businesses and noted the importance of gathering inputs from the business community through the public comment process in order to ensure that the regulations ultimately impose reasonable and achievable requirements. 

4. Opt-Out Preference Signal Legislative Proposal. In a notable non-regulatory development, the Board also voted to approve in concept a recommendation from Agency staff that the Agency support a legislative proposal to require browser vendors “to include a feature that allows users to exercise their California privacy rights through opt-out preference signals.” Accordingly, Agency staff will proceed with identifying a legislative author and working with that legislator to develop the relevant legislative language, providing updates to the Board on an as-needed basis. Such legislation would be important in increasing utilization of opt-out preference signals. As the staff’s recommendation noted, only three browsers (with relatively limited market share) currently offer native support for opt-out preference signals, meaning that consumers that seek to utilize this technology must “take extra steps to find and download a browser plugin created by third-party developers.”

5. Looking Ahead. Board members mentioned the next Board meeting likely taking place around January 2024. Key topics of discussion during this meeting are likely to include revisions to the draft risk assessment and ADMT regulations.