Preliminary Draft of California Regulations on Cyber Audits and Privacy Risk Review

The California Privacy Protection Agency (CPPA) has published a preliminary draft of regulations regarding cybersecurity audit and risk assessment that also applies to automated decision-making technologies.

The applicability of the regulations regarding security audits is still open for discussion. The initial draft offers different alternatives for the applicability of the regulations to businesses, based on different criteria of the scope and nature of business operations. The text of the draft regulations suggests, among other things, that –

  • A business will be required to perform the first cybersecurity audit within 24 months after the regulations take effect.
  • The audit will be done, comprehensively and independently.
  • A business conducting a cybersecurity audit will be required to report it and its results to the California Privacy Protection Agency.

The regulations regarding risk assessments in automated decision-making technology will apply to businesses that process personal data about consumers at a level that constitutes a significant risk to their privacy. The instructions in the draft regulations on this subject suggest, among other things, that –

  • The risk assessment will include the entire organizational structure of the business as well as relevant external factors.
  • The risk assessment review will include, among other things, a summary of the data processing activities, the categories of personal data processed, and the need to process the data for that business.
  • The review will include a reference to the method in which the business plans to collect, store, and process the data, including the sources from which the data originates, how long each category of data will be kept, the technology that will be used to process the data, and more.
  • The business is required to specify specifically why data processing is required and how it achieves the goal pursued.
  • The risk assessment report will include the benefits arising for the business, the consumer, and other interested parties from the processing of the data.
  • The assessment will also cover the negative effects of data processing on consumer privacy as well as the protective measures that the business plans to implement to mitigate the negative effects.

Businesses that make use of automated decision-making technology must explain the reasons for using the technology and provide information on the processed data and how the business intends to maintain the quality and fairness of the automated decisions.

Click here to read the draft cybersecurity audit regulations of the California Privacy Protection Agency.

Click here to read the draft risk assessment regulations of the California Privacy Protection Agency.