On July 14, the California Privacy Protection Agency (CPPA or the “Board”) hosted a meeting to discuss key issues. Notably, the Board’s New CPRA Rules Subcommittee (“the Subcommittee”) previewed three areas of forthcoming regulation: namely, automated decision-making technology (ADMT), cybersecurity audits, and cybersecurity risk assessments.
The Board’s discussion largely focused on the applicable thresholds and boundaries that businesses will need to meet in order to be subject to these regulations. The applicable thresholds center on the type of processing that the business is engaged in and the size of and resources available to the business — thus, these thresholds would serve to minimize regulatory burdens on small and medium-sized businesses.
As a next step, Chairperson Jennifer Urban suggested that the Subcommittee prepare the actual language of the regulations so that the Board will have the opportunity to comment and review. Businesses should continue to pay close attention as these proposals develop, as the results of these processes will likely lead to additional compliance requirements in these areas of focus. Looking ahead, businesses that would like to prepare in anticipation of CPRA developments, can turn to other state privacy law frameworks for guidance. For example, the Colorado Privacy Act establishes a framework for businesses that engage in automated decision-making. Under this framework, businesses must provide consumers the opportunity to opt-out of profiling that is based in automated processing, as well as follow certain procedures where a consumer’s request to opt-out of human reviewed automated processing is denied. Notably, the Board has previously requested feedback on California’s potential adoption of Colorado’s approach to cybersecurity regulation. The Colorado privacy law mandates that companies conduct data protection assessments for processing activities that present a heightened risk of harm. As such, businesses looking for insight into the Board’s potential approach to cybersecurity audits and assessments should turn to Colorado’s compliance requirements.
We summarize the current proposal below and will continue to track the development of these regulations on this blog. We are happy to answer any questions that you may have about how the Board’s ongoing regulatory efforts may affect your business.
Automated Decision-making Technology (ADMT)
As the first step to ADMT regulation, the Board is focusing on developing the definition of ADMT, with the goal of broadening the definition as much as possible. Under the current proposal, ADMT would be defined as “any system, software, or process—including one derived from machine-learning, statistics, or other data processing or artificial intelligence techniques—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision making. ADMT includes profiling” (emphasis added). Currently, the California Consumer Privacy Act (CCPA) defines “profiling” as “any form of automated processing of personal information … to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” Cal. Civ. Code § 1798.140(z). However, it remains unclear whether the Subcommittee will adopt this definition of profiling. Indeed, Chairperson Urban noted during the meeting that this definition covers only a subset of profiling.
Under the Subcommittee’s proposal, businesses that use ADMT will have obligations only if they meet certain thresholds. To determine applicability, businesses will need to ask:
- Is ADMT used in relation to decision making associated with the denial of services such as financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities?
- Is ADMT used to monitor or surveil employees or job applicants?
- Is ADMT used to track the behavior, location, movements, or actions of consumers in publicly accessible places?
- Does ADMT process personal information of consumers where there is actual knowledge that those consumers are less than 16 years of age?
- Is ADMT used to process personal information for the purpose of training ADMT models?
To the extent these questions apply, businesses may be subject to ADMT regulation.
The Board also discussed regulations regarding cybersecurity audits. The Subcommittee noted that most privacy and data protection laws do not require cybersecurity audits, but highlighted several frameworks that it is considering as references for potential regulation, such as the NIST Cybersecurity Framework and NY DFS cybersecurity regulations. The Subcommittee is contemplating how to make auditing feasible to businesses by considering a number of thresholds. This is good news for small and medium-sized businesses, because the thresholds currently proposed are based on the size of the organization, on the resources available to the business, and on how involved the business is with consumer personal information. Potential thresholds include:
- Businesses primarily or significantly engaged in sale or sharing of personal information (e.g., data brokers).
- Larger businesses that potentially meet a particular revenue or processing threshold (e.g., annually processing the personal or sensitive information of a certain number of consumers or households or annually processing the personal information of a certain number of consumers less than 16 years of age.)
Finally, the Subcommittee discussed the obligations of businesses associated with risk assessments. The Subcommittee’s proposal included recommended and potential thresholds to determine the applicability of regulations pertaining to the performance of risk assessments.
Thresholds recommended for implementation included:
- Selling or sharing personal information.
- Processing sensitive personal information, except for employers processing sensitive personal information for limited employment purposes.
- Processing the personal information of consumers that the business has actual knowledge are less than 16 years of age.
- Using ADMT for decisions related to denial of services such as financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities.
Thresholds recommended for further discussion include:
- Processing the personal information of employees or job applicants;
- Processing the personal information of consumers in publicly accessible places through technologies that track consumers’ behavior, location, movements, or actions; and
- Processing the personal information of consumers to train artificial intelligence.