On August 29, 2023, the California Privacy Protection Agency (CPPA) posted discussion drafts of its forthcoming regulations on cybersecurity audits and risk assessments as part of the materials for its September 8, 2023, public board meeting. These draft regulations are expected to eventually become part of the CPPA’s second rulemaking package under the California Consumer Privacy Act (CCPA) since the CCPA’s amendment by the California Privacy Rights Act. The CPPA has not yet started its formal rulemaking process for cybersecurity audits and risk assessments, and it has made clear that these draft regulations are meant to facilitate CPPA Board discussion and public participation. Nevertheless, the obligations set forth in the draft rules are extensive and provide an initial window into the onerous new compliance requirements. Notable requirements put forth for discussion under the draft regulations include:

• Requiring businesses to conduct and document detailed risk assessments for a wide range of personal information processing activities, including “selling” or “sharing” personal information (according to the CCPA’s definitions). These risk assessments would have to cover a broad array of topics in detail (for example, consideration of an extensive set of harms ranging from psychological harms to Constitutional harms, such as chilling speech).
• For businesses that use automated decision-making technology in a way that triggers a yet to be determined opt-out requirement under the CCPA: adding additional elements in their risk assessments, such as “plain language” explanations of the technology’s logic, the outputs secured from the technology, and how the business will evaluate the technology for “validity, reliability, and fairness.”
• Updating risk assessments whenever there is a “material change in the processing activity,” for which there are many possible triggers.
• Annually submitting an abridged version of the assessments with a compliance certification and making risk assessments available to the CPPA upon request.
• Requiring annual independent, detailed cybersecurity audits for businesses whose use and processing of consumer data meets a threshold for presenting a "significant risk" to consumer security, which is triggered when either of two tests are met:
  • the business derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information in the preceding calendar year, or
  • one of three proposed thresholds are met, which would rely on factors such as annual gross revenues, number of consumers whose personal information was processed, and number of employees at the business.

More detail about these requirements is provided below.

Risk Assessment Draft Regulations

• Expansive scope: The draft regulations would require businesses subject to the CCPA to conduct and document detailed risk assessments for a wide range of personal information processing activities, including 1) “selling” or “sharing” personal information (according to the CCPA’s definitions); 2) processing sensitive personal information (which is defined broadly by the CCPA and includes information like account login credentials); 3) using “automated decision-making technology” to make certain consequential decisions, such as for lending, housing, healthcare services, employment, or access to essential goods or services; 4) processing the personal information of consumers under 16; 5) using technology to monitor employees, independent contractors, job applicants, or students; 6) using technology to monitor consumers’ behavior, location, movements, or actions in publicly accessible places; and 7) processing the personal information of consumers to train artificial intelligence or automated decision-making technology. Notably, “monitor” is not defined in these draft regulations.

• Expansive definitions of artificial intelligence and automated decision-making technology: The draft regulations provide expansive definitions of both artificial intelligence (“an engineered or machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations, or decisions that influence physical or virtual environments”) and automated decision-making technology (“any system, software, or process—including one derived from machine-learning, statistics, other data-processing techniques, or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking”). Read broadly, these definitions could encompass a sweeping number of technologies, including common data analysis tools as basic as Microsoft Excel.

• Extensive documentation requirements: Businesses would be required to cover a broad array of topics in these risk assessments, such as the categories of personal information to be processed; the context of the processing activity; a detailed analysis of consumers’ reasonable expectations concerning the purpose for processing their personal information; operational elements of the processing, including retention periods and technology to be used; the purpose, benefits, and negative impacts of the processing; and any safeguards the business plans to implement to address any negative impacts. Businesses would have to consider a broad range of potential harms, including Constitutional (such as chilling speech), psychological, discrimination, and physical.

• Additional requirements for artificial intelligence and automated decision-making technology: Businesses that use automated decision-making technology in a way that triggers a yet to be determined opt-out requirement under the CCPA would have to include additional elements in their risk assessments, including “plain language” explanations of the technology’s logic; the outputs secured from the technology; the reasons for using the technology; what personal information the technology will process; how the business will evaluate the technology for “validity, reliability, and fairness”; the degree and details of any human involvement in the use of the technology; and, if the business has not consulted external parties when drafting these risk assessments, an explanation of that decision and safeguards implemented to address the risks of not consulting external parties. Businesses that use personal information to train artificial intelligence and automated decision-making technology are also subject to additional requirements, including documenting how they will ensure other persons using that technology are using it for appropriate purposes.

• Requirement to update risk assessments: The draft regulations require updating risk assessments whenever there is a “material change in the processing activity.” The draft regulations provide a long list of changes that could be considered “material,” which includes changes to the purpose of processing consumers’ information, the operational elements of the processing, the reasons for using automated decision-making technology, the logic of the automated decision-making technology the business uses, the degree and details of any human involvement in the automated decision-making technology, and the benefits and negative impacts of the processing.

• Similarity to Colorado Privacy Act regulations: The draft regulations would allow businesses to repurpose risk assessments that they have completed to comply with other laws and regulations. Although many state privacy laws require these types of assessments, only Colorado has released final regulations that provide details on how these assessments should be conducted. There is significant overlap between the requirements in Colorado’s regulations and the CPPA’s draft regulations (particularly with respect to the content that they must cover), but any business subject to both requirements would likely need to supplement any assessment that they prepare for Colorado to meet the CCPA’s unique requirements (particularly for any businesses that use artificial intelligence or automated decision-making technology).

• Submission to the CPPA: Under the draft regulations, businesses would be required to annually submit to the CPPA their risk assessments “in an abridged form,” along with a compliance certification by a designated executive. In addition, businesses would be required to make their complete risk assessments available to the CPPA upon request. While the statute’s provision that gives the CPPA rulemaking authority on this topic, Cal. Civ. Code § 1798.185(a)(15)(B), makes clear that “[n]othing in this section shall require a business to divulge trade secrets,” the draft regulations do not address how this restriction is meant to apply to the submission requirement (e.g., whether businesses can redact information related to trade secrets, withhold risk assessments that contain information related to trade secrets, or omit such information from risk assessments entirely when preparing them).

Cybersecurity Audit Draft Regulations

• Scope: The draft regulations would require businesses to conduct an annual independent cybersecurity audit when their processing of personal information meets one of the proposed thresholds for presenting a "significant risk" to consumers’ security. The requirement is triggered by the assessed risk to the consumer personal information handled by a business. The draft of the "significant risk" thresholds presents a two-pronged assessment for businesses, whereby a business would be covered by the audit requirement if either of two tests are met. The first test would require annual cybersecurity audits for any business that derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information in the preceding calendar year, regardless of the total amount of revenues. The second test has three proposals that would rely on factors such as annual gross revenues, number of consumers whose personal information was processed, and number of employees at the business. Notably, the analysis for whether a business will be covered by the mandatory cybersecurity audit regulations is separate from whether the CCPA is applicable to a business.

• Annual Cybersecurity Audit Requirements. For applicable businesses, the draft cybersecurity audit requirements call for an independent assessment and documentation of the business’s cybersecurity program, appropriate to the size and complexity of the business and the nature and scope of its processing activities. Audits would take into account the state of the art and the cost of implementation. The proposed audit requirements would require that each applicable component of the business’s cybersecurity program, and any gaps or weaknesses, be summarized. The audits would be required to specifically address the status of any gaps or weaknesses identified in any prior cybersecurity audit and identify any corrections or amendments to any prior cybersecurity audits. The proposed audit would assess technical and procedural safeguards, including account management controls, business continuity plans, incident response management, data retention schedules, and service provider oversight. Businesses that have engaged in a cybersecurity audit, assessment, or evaluation that meets all of the final requirements will not be required to complete a duplicative cybersecurity audit but would be required to explain how the previous audit meets all of the requirements set forth in the final regulations or supplement the previous audit to cover the additional requirements in the regulations.

• Auditor Requirements: The cybersecurity audits would need to be conducted by an internal or external auditor who is a qualified, objective, independent professional using procedures and standards generally accepted in the profession of auditing. The auditor is barred from involvement in the development, implementation, or maintenance of the business’s cybersecurity program. Additionally, the auditor cannot prepare the business’s documents or participate in the business activities that the auditor may review within the cybersecurity audits. If a business uses an internal auditor, the auditor is specifically required to report issues regarding the cybersecurity audit directly to the business’s board of directors or governing body, as opposed to reporting issues to business management with direct responsibility for the business’s cybersecurity program. In the event that the business does not have a board or equivalent body, the internal auditor would report to the business’s highest-ranking executive that does not have direct responsibility for the business’s cybersecurity program. The determination of the auditor's compensation, and the auditor's performance evaluation, would need to be done by either the business’s board of directors, governing body, or highest-ranking executive that does not have direct responsibility for the business’s cybersecurity program.

• Audit Specifications: The draft language includes multiple proposed options for documenting how the business’s cybersecurity program ensures consumer security. One proposed approach would require the cybersecurity audit to assess and document any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or are reasonably likely to materially affect consumers. Another proposed approach focuses on the potential harm to consumers. This proposal requires documentation of how a business considers and secures against negative impacts posed by threats to consumer data integrity, including the impact of economic, physical, psychological, and reputational harm.

• Breach Notification Treatment in the Cybersecurity Audit: If the business was required to notify any agency with jurisdiction over privacy laws or other data processing authority (in California or otherwise) of unauthorized access, destruction, use, modification, or disclosure of personal information or of unauthorized activity resulting in the loss of availability of personal information, the initial or annual cybersecurity audit would include a description of the required notification and details of the activity giving rise to the notification. This includes related remediation measures taken by the business. If the business provided notifications to affected consumers pursuant to relevant California law, the annual cybersecurity audit would be required to include a description of those notifications, a description of the notification to the Attorney General, and the details of such personal information security breaches.

• Compliance Notification Requirement: Businesses required to conduct these cybersecurity audits would be required to submit documentation of a completed audit to the CPPA through either of two proposed methods:
  • a written certification that the business complied with the requirements of these regulations during the 12 months that the audit covers; or
  • a written acknowledgment that the business did not fully comply with the requirements within the 12 months that the audit covers. Such disclosure will require the business to identify which requirements were not met and to describe the nature and extent of the noncompliance. Additionally, businesses submitting acknowledgement of such noncompliance would be required to provide a remediation timeline or confirmation that remediation has been completed.  

• Timeline for Cybersecurity Audit Implementation: Businesses covered by the cybersecurity audit requirement would have 24 months from the effective date of the regulations to complete the first cybersecurity audit. Cybersecurity audits would be required annually thereafter.

Next Steps

These draft rules are the first iteration of the CPPA’s second CCPA rulemaking package, and they will likely undergo several rounds of revisions before being finalized. Notably, the CPPA is also considering rules on access and opt-out rights relating to automated decision-making technology as part of this second package, but it has not yet released a draft. The CPPA also has yet to specify a timeline for when these rules will be finalized or take effect.