The California Privacy Protection Agency (CPPA) has released its agenda for the September 8 board meeting, which includes (among other topics) presentation of a draft Cybersecurity Audit Regulation and a draft Risk Assessment Regulation. The formal rulemaking process has not yet commenced, but these drafts are presented for board discussion, including options for board consideration, and public participation. When enacted, these regulations will impose the most rigorous audit and risk assessment requirements of any U.S. privacy law on covered businesses, their service providers and contractors.
Cybersecurity Audit Regulation
It’s important that service providers and contractors review this draft to understand what the CPPA may be thinking regarding the cybersecurity audit. This draft includes requirements for service providers and contractors, including assisting businesses required to comply with CCPA/CPRA with the audit regulation.
Takeaways from this preliminary draft include specifics relating to the scope, timelines, and independence of the auditor. These specifics include requirements that the cybersecurity audit must:
- Assess, document, and summarize each applicable component of the covered business’ cybersecurity program;
- Identify any gaps or weaknesses in the covered business’ cybersecurity program;
- Address the status of any gaps or weaknesses identified in any prior cybersecurity audit; and
- Identify any corrections or amendments to any prior cybersecurity audit.
Risk Assessment Regulation
The draft Risk Assessment Regulation includes important definitions that had been delegated to the CPPA in the language of the CPRA, including Artificial Intelligence and Automated Decision-Making Technology. As with the Cybersecurity Audit Regulation, the Risk Assessment Regulation outlines requirements for service providers and contractors, including assisting covered businesses with the risk assessments and providing “meaningful information” to the consumer about its Automated Decision-Making Technology. The Risk Assessment Regulation includes detail regarding specific information that must be included in the risk assessment and requires that every covered business whose processing of consumer personal information “presents a significant risk to consumers’ privacy” conduct a risk assessment before initiating that processing. Such “processing” includes in the draft:
- Selling or sharing personal information;
- Processing “sensitive personal information,” with certain exceptions;
- The use of Automated Decision-Making Technology under certain defined circumstances; and
- Processing the personal information of consumers to train Artificial Intelligence or Automated Decision-Making Technology.
Although these are discussion drafts only, it is advised that companies (including service providers and contractors) review these carefully as they will likely have significant operational impacts.