On September 8, 2023, the California Privacy Protection Agency (CPPA) will discuss the two new sets of proposed California Privacy Protection Act (CCPA) regulations. Here is a breakdown of the two new proposed regulations and issues up for discussion:

Auditing Requirements: If a business processes data that poses a “significant risk to consumers’ security” then the business must complete an annual cybersecurity audit using an independent auditing professional and file a statement of compliance with the CPPA. The auditor(s) may be internal but the findings must be reporting to the board. Further, these audits must take into account multifactor authentication, encryption and zero-trust architecture. The CPPA will discuss the “significant risk” standard at its upcoming meeting.

AI and Automated Decision-Making Risk Assessments: If businesses use AI systems to make decisions, it must conduct regular and thorough risk assessments considering potential negative impacts to consumers as a result of using such technology. The negative impacts could range from economic harm to reputational and psychological harm. Businesses that do any of the following would be subject to the CCPA:

  • Selling or sharing personal information
  • Processing sensitive personal information
  • Using automated decision-making technology in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities
  • Processing the personal information of consumers that the business has actual knowledge are less than 16 years of age
  • Processing the personal information of consumers who are employees, independent contractors, job applicants, or students using technology to monitor employees, independent contractors, job applicants, or students.
  • Processing the personal information of consumers in publicly accessible places using technology to monitor consumers’ behavior, location, movements, or actions.
  • Processing the personal information of consumers to train AI or automated decision-making technology

If your business is subject to the CCPA and it processes data as set forth in the proposed regulations, you should track these changes closely. If your business has not yet assessed its applicability, now is the time to do so. We will monitor these new regulations closely.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.