WSGR logoWSGR logo
Substantial New CCPA Regulations Inch Closer to Reality: A High-Level Overview of the New Requirements and Their Projected $4 Billion Cost to California Businesses
Alerts
August 7, 2024

On July 16, 2024, the California Privacy Protection Agency (CPPA) Board met to discuss advancing a substantial draft California Consumer Privacy Act (CCPA) rulemaking package to formal proceedings. The proposed regulations include significant new obligations spanning cybersecurity audits, automated decision-making technology (e.g., artificial intelligence (AI)), privacy risk assessments, and other updates to existing regulations. Together, these regulations would create new compliance obligations for tens of thousands of California businesses and are preliminarily estimated to generate a staggering $4.2 billion in compliance costs for those businesses in their first year alone (not including businesses outside of California that are subject to CCPA).

In its July meeting, the CPPA Board signaled it might reconvene in September to initiate formal rulemaking after receiving requested updates to the proposed regulations from CPPA staff and additional information on the required Standardized Regulatory Impact Assessment (i.e., anticipated economic impact analysis). Once this happens, members of the public will have the opportunity to formally comment on the proposed regulations and urge the CPPA Board to make changes. Entities subject to the CCPA should familiarize themselves with the draft regulations now so that they are prepared to comment when the regulations enter formal rulemaking.

Below is a summary of key provisions in the proposed regulations. A more detailed analysis of each of the major components is available in our Data Advisor blog post here.

I. Cybersecurity Audit Regulations

The proposed regulations would require qualifying businesses to complete annual cybersecurity audits conducted by independent auditors and to certify completion to the CPPA each year. These businesses would need to implement (if they have not already) cybersecurity programs addressing at least the 17 program “components” outlined in the proposed regulations before this requirement would become effective. Key aspects of these proposed regulations include:

  • Applicability. Businesses subject to the CCPA would be required to conduct cybersecurity audits when their processing poses a “significant risk” to consumers’ security because, in the last calendar year, either:
    • 50 percent of the business’s revenue came from “selling” or “sharing” consumers’ personal information (as those terms are defined in the CCPA); or
    • the business met the revenue threshold to qualify as a “business” under the CCPA (around $27 million in the proposed regulations) and processed at least a) 250,000 consumers’ or households' personal information; or b) 50,000 consumers’ sensitive personal information (e.g., precise geolocation, account log-in, and other commonly processed information).
  • Audit scope and requirements. Each year, independent auditors would be required to assess the business’s cybersecurity program, including how it protects personal information from unauthorized access, destruction, use, modification, disclosure, or loss of availability from unauthorized acts. The audit report would need to identify, assess, and document the business’s cybersecurity program, including technical access management and restriction, disaster recovery and business continuity plans, oversight of service providers and contractors, and more. Among other requirements, audits would need to identify and describe components’ gaps and weaknesses, as well as the business’s plans to address them, and would need to include samples or descriptions of certain breach notifications that were provided to agencies or consumers during the audit period.
  • Auditor requirements. Cybersecurity audits would need to be conducted by a qualified, objective, independent auditor using generally accepted procedures and standards. Businesses could use internal (rather than external) auditors, but there would be additional obligations governing the auditor’s reporting chain and performance reviews to preserve their independence.
  • Board obligations and reporting. The cybersecurity audit findings would need to be reported to the business’s board, and a board member would need to sign a statement included in the audit certifying, among other things, that the business did not attempt to influence the audit. A member of the board would also be required to annually certify to the CPPA through its website that the business completed its audit. If the business does not have a board or equivalent governing body, then the highest-ranking executive responsible for oversight of the cybersecurity program or audit compliance could fulfill these responsibilities.

II. Automated Decision-Making Technologies

The draft regulations would require covered businesses to provide pre-use notices for automated decision-making technology (ADMT) informing consumers about the business’s use of ADMT, to offer consumers the ability to opt out of the use of ADMT (subject to certain exceptions), and to allow consumers to access information about how the business used ADMT with respect to that consumer. Key aspects of these proposed regulations include:

  • Two-prong test for applicability: The draft contemplates two threshold questions regarding ADMT for businesses covered under the CCPA to consider. First, is the business making use of an ADMT? Second, assuming so, is the use of that ADMT a “covered use” under the regulations?
  • ADMT Defined: The draft regulations define ADMT as “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.”
  • Covered Uses: Using ADMT for the following purposes would trigger applicable notice, opt-out, and information access requirements: 1) significant decisions concerning a consumer (for example, access to or the provision or denial of housing, education, employment, and criminal justice), 2) extensive profiling of a consumer (such as profiling through systematic observation or for behavioral advertising), and 3) training ADMT. The application of this last purpose, training ADMT, is unclear, as it does not have an analog in other state or General Data Protection Regulation ADMT requirements. For example, whether this prong will be deemed to apply to large language model chatbots or to certain general purpose AI systems is unclear.
  • ADMT Requirements: Businesses engaging in a covered use of ADMT would be required to provide consumers with following:
    • Pre-Use Notice. The notice would need to inform consumers about the business’s use of ADMT and the consumer’s rights to opt out and access further information.
    • The right to opt out. Subject to several exceptions (for example, when consumers can appeal a “significant decision” to a human), businesses would be required to allow consumers to opt out of their personal information being processed for covered ADMT uses.
    • The right to access ADMT information. Upon request and subject to certain exemptions, businesses would need to provide consumers with a plain language explanation of, among other things, 1) the purpose for which it is using ADMT; 2) the output of the ADMT with respect to that consumer; and 3) how it used the output to make a decision about that consumer.

III. Risk Assessments

The draft regulations would bar businesses from processing personal information for particular activities where the risks to consumers’ privacy outweigh the benefits to the consumer, the business, other stakeholders, and the public. To make that determination, the draft regulations would require businesses to undergo detailed risk assessments before initiating high-risk processing activities and report the results of those assessments annually to the CPPA.

  • Applicability: Risk assessments would need to be conducted before a business could process personal information in a manner that presents a “significant risk” to consumer privacy, including: 1) selling or sharing personal information; 2) processing sensitive personal information; 3) using ADMT for a significant decision concerning a consumer or for “extensive profiling” (including behavioral advertising); or 4) training ADMT or artificial intelligence.
  • Risk Assessment Requirements: At a high level, risk assessments would need to include:
    • specific purpose(s) for processing, the minimum necessary personal information to achieve that purpose, and the categories of personal information to be processed;
    • source and method for collecting, using, retaining, and disclosing personal information;
    • relationship between the business and consumer and categories of third parties to whom personal information would be disclosed;
    • technology used for processing;
    • risks to consumer privacy, including the criteria used to make this determination, and mitigations (e.g., technical safeguards and controls); and
    • benefits to consumers, the business, other stakeholders, and the public, including whether the business stands to profit monetarily from the processing activity (and the amount of estimated profit if possible).
  • Special Requirements for ADMT: In addition to the requirements above, businesses assessing ADMT-related processing would need to identify the ADMT’s logic, output, and how it will be used. Other requirements include explaining what actions they have taken to ensure data quality and whether they evaluated the ADMT to ensure it works as intended and does not discriminate based upon protected classes, as well as identifying associated policies, procedures, and training.
  • Submission to the CPPA: Businesses would be required to submit abridged risk assessments to the CPPA 24 months after the draft regulations go into effect and annually thereafter. Submissions would need to include a certificate of conduct from the business’s highest ranking executive responsible for compliance with these regulations. Within 10 days of a request from the CPPA or California Attorney General, businesses would be required to submit unabridged versions of their assessments. Businesses would not be required to submit risk assessments for processing activities they do not implement; or when a review or update to an existing risk assessment does not result in any material changes to the abridged risk assessment already on-file with the CPPA.

IV. Proposed Changes to Existing Regulations

The draft regulations also propose notable updates to existing regulations, including:

  • increasing fines, penalties, and other monetary thresholds, including raising the gross revenue threshold for when an entity qualifies as a “business” under the CCPA from $25 million to $27.975 million;
  • updating the definition of “sensitive personal information” to include the personal information of consumers the business has actual knowledge are less than 16 years old;
  • adding new substantive requirements for businesses (and other entities covered by the CCPA) to comply with consumer rights requests to delete, correct, and know, and requiring businesses to notify consumers that they can submit a complaint with the CPPA or California Attorney General when the business denies their requests to delete, correct, know, opt out of sale or sharing, or limit the use or disclosure of sensitive personal information;
  • clarifying that businesses would not be providing “symmetry in choice,” and therefore cannot obtain consent, through a “yes” option that is more visually prominent (e.g., more colorful or larger) than a “no” option—currently a common practice for many businesses;
  • requiring businesses, before a connected device (e.g., a smart watch or smart TV) begins to collect certain data, and before a consumer enters an augmented or virtual reality environment, to notify consumers of their rights to opt out of sale and sharing and to limit the use of sensitive personal information;
  • requiring businesses to display whether they have processed a consumer’s opt-out signal as a valid request on their website (e.g., with a toggle, radio button, or phrase such as “Opt-Out Request Honored”); and
  • potentially narrowing the security exception to consumers’ right to limit, at least in the employment context.

V. Next Steps

The CPPA is poised to initiate formal rulemaking for these draft regulations as early as September 2024, at which point, businesses and other members of the public will be invited to submit comments about the draft regulations to the CPPA.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA compliance efforts, or preparing a comment regarding these draft regulations, please contact Eddie Holman, Maneesha Mithal, Tracy Shapiro, Erin Delaney, Yeji Kim, Boniface Echols, or any member of the firm’s data, privacy, and cybersecurity practice. For more information or advice concerning your compliance efforts related to ADMT or AI, please contact Scott McKinneyEddie Holman, Maneesha Mithal, or any member of the firm’s artificial intelligence and machine learning working group.

Contributors

WSGR logo
Copyright © 2024 Wilson Sonsini Goodrich & Rosati. All Rights Reserved.