On September 8, 2023, the California Privacy Protection Agency (CPPA) will discuss the two new sets of proposed California Privacy Protection Act (CCPA) regulations. Here is a breakdown of the two new proposed regulations and issues up for discussion:
Auditing Requirements: If a business processes data that poses a “significant risk to consumers’ security” then the business must complete an annual cybersecurity audit using an independent auditing professional and file a statement of compliance with the CPPA. The auditor(s) may be internal but the findings must be reporting to the board. Further, these audits must take into account multifactor authentication, encryption and zero-trust architecture. The CPPA will discuss the “significant risk” standard at its upcoming meeting.
AI and Automated Decision-Making Risk Assessments: If businesses use AI systems to make decisions, it must conduct regular and thorough risk assessments considering potential negative impacts to consumers as a result of using such technology. The negative impacts could range from economic harm to reputational and psychological harm. Businesses that do any of the following would be subject to the CCPA:
- Selling or sharing personal information
- Processing sensitive personal information
- Using automated decision-making technology in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities
- Processing the personal information of consumers that the business has actual knowledge are less than 16 years of age
- Processing the personal information of consumers who are employees, independent contractors, job applicants, or students using technology to monitor employees, independent contractors, job applicants, or students.
- Processing the personal information of consumers in publicly accessible places using technology to monitor consumers’ behavior, location, movements, or actions.
- Processing the personal information of consumers to train AI or automated decision-making technology
If your business is subject to the CCPA and it processes data as set forth in the proposed regulations, you should track these changes closely. If your business has not yet assessed its applicability, now is the time to do so. We will monitor these new regulations closely.