On July 16, 2024, the California Privacy Protection Agency (CPPA) Board met to discuss advancing a substantial draft California Consumer Privacy Act (CCPA) rulemaking package to formal proceedings. The proposed regulations include significant new obligations spanning cybersecurity audits, automated decision-making technology (e.g., artificial intelligence (AI)), privacy risk assessments, and other updates to existing regulations. Together, these regulations would create new compliance obligations for tens of thousands of California businesses and are preliminarily estimated to generate a staggering $4.2 billion in compliance costs for those businesses in their first year alone (not including businesses outside of California that are subject to CCPA).
In its July meeting, the CPPA Board signaled it might reconvene in September to initiate formal rulemaking after receiving requested updates to the proposed regulations from CPPA staff and additional information on the required Standardized Regulatory Impact Assessment (i.e., anticipated economic impact analysis). Once this happens, members of the public will have the opportunity to formally comment on the proposed regulations and urge the CPPA Board to make changes. Entities subject to the CCPA should familiarize themselves with the draft regulations now so that they are prepared to comment when the regulations enter formal rulemaking.
Below is a summary of key provisions in the proposed regulations. A more detailed analysis of each of the major components is available in our Data Advisor blog post here.
I. Cybersecurity Audit Regulations
The proposed regulations would require qualifying businesses to complete annual cybersecurity audits conducted by independent auditors and to certify completion to the CPPA each year. These businesses would need to implement (if they have not already) cybersecurity programs addressing at least the 17 program “components” outlined in the proposed regulations before this requirement would become effective. Key aspects of these proposed regulations include:
II. Automated Decision-Making Technologies
The draft regulations would require covered businesses to provide pre-use notices for automated decision-making technology (ADMT) informing consumers about the business’s use of ADMT, to offer consumers the ability to opt out of the use of ADMT (subject to certain exceptions), and to allow consumers to access information about how the business used ADMT with respect to that consumer. Key aspects of these proposed regulations include:
III. Risk Assessments
The draft regulations would bar businesses from processing personal information for particular activities where the risks to consumers’ privacy outweigh the benefits to the consumer, the business, other stakeholders, and the public. To make that determination, the draft regulations would require businesses to undergo detailed risk assessments before initiating high-risk processing activities and report the results of those assessments annually to the CPPA.
IV. Proposed Changes to Existing Regulations
The draft regulations also propose notable updates to existing regulations, including:
V. Next Steps
The CPPA is poised to initiate formal rulemaking for these draft regulations as early as September 2024, at which point, businesses and other members of the public will be invited to submit comments about the draft regulations to the CPPA.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA compliance efforts, or preparing a comment regarding these draft regulations, please contact Eddie Holman, Maneesha Mithal, Tracy Shapiro, Erin Delaney, Yeji Kim, Boniface Echols, or any member of the firm’s data, privacy, and cybersecurity practice. For more information or advice concerning your compliance efforts related to ADMT or AI, please contact Scott McKinney, Eddie Holman, Maneesha Mithal, or any member of the firm’s artificial intelligence and machine learning working group.