California Shares Draft Rules on Audits, Assessments and Automated Decisionmaking

On November 27, California’s dedicated privacy law enforcement agency, the California Privacy Protection Agency (CPPA), released a draft of new rules covering automated decisionmaking (yes, they made “decisionmaking” one word). These proposed rules join previously released draft rules for risk assessments and cybersecurity audits. But don’t worry just yet: these are not final rules. CPPA is sharing drafts to facilitate its discussion and public participation before formal rulemaking starts.

There is a lot of new content here (77 pages to be exact) between all three of the draft rules. But, given that formal rulemaking is coming later, we will hover above the weeds for now. We provide an overview of the drafts and their notable provisions, explain what to expect next in the rulemaking process, and then untangle the mess that is the potential effective dates. We’ll bring you a deep dive once we get closer to final rules.

Overview

We start by summarizing each set of new rules—automated decisionmaking, risk assessments, and cybersecurity audits—and sharing some important requirements in each of those rules.

Automated Decisionmaking

Subject to narrow exceptions, CPPA proposes that a company using automated decisionmaking technology (ADMT) for specified purposes must give a pre-use notice explaining the processing, offer the right to opt out of such processing, and provide consumers the right to obtain more information about the use of ADMT. ADMT is “any system, software, or process . . . that processes personal information and uses computation . . . to make or execute a decision or facilitate human decision making.” This aligns with Colorado’s rules by regulating some automated processing that has human involvement (in contrast, the E.U.’s General Data Protection Regulation focuses on fully automated processing).

CPPA proposes to regulate certain high-risk or sensitive uses of ADMT. Specifically, CPPA is targeting uses of ADMT for: (1) processing that creates a legal/significant effect; (2) profiling consumers in public places; and (3) profiling employees, applicants or students. But the draft also presents additional uses for CPPA to consider regulating: profiling of minors, profiling for behavioral advertising, and processing for training the ADMT.

The scope of the pre-use notice, opt-out right, and access right are summarized below:

• Pre-Use Notice. Companies must explain the purpose for the processing, an easy way to obtain details about the processing (e.g., key parameters, intended uses, human involvement, and validity/fairness/reliability testing), and the rights to opt out and request additional information (i.e., an access right—which we discuss below).
• Opt-Out Right. A company must provide a consumer the right to opt out of ADMT and create a process for the consumer to confirm the company processed the opt-out request.
• Opt-Out Verification. Companies may require a consumer to verify their identity for an opt-out request only if consumers are more likely than not to be negatively impacted by honoring a fraudulent request.
• Opt-Out Timing. When a company receives an opt-out request before processing has begun, the company must refrain from using ADMT to process that consumer’s information. If the processing is underway when the request is received, the company must cease the processing as soon as feasibly possible (and no later than 15 business days after receiving the request—not verifying the request).
• Restricted Behavioral Advertising. When the ADMT is for behavioral advertising, a company cannot require a user to verify their identity or avoid providing an opt-out right based on the exception for providing goods/services.
• Access Right. When a consumer submits an access request, the company must explain: (1) why they use ADMT;(2) what the ADMT outputs; (3) how the company uses (or plans to use) that output to make a decision; (4) how the ADMT worked (e.g., logic, assumptions, key parameters affecting the output); (5) what other CCPA rights are available; (6) how the consumer can obtain the range of possible outputs; and (7) how a consumer can submit a complaint to the company or regulators about the processing. Although a company can withhold much of that information when it cannot verify the consumer’s identity.
• Denied Goods/Services. After using ADMT to make a legal/significant decision that results in denying a consumer goods/services (e.g., employment), the company must inform the consumer of the decision, their right to access information about the ADMT, and their right to file a complaint with regulators.
• Exceptions. There is no obligation to provide pre-use notice or a right to opt out when the processing is to stop fraud, prevent a security incident, protect a consumer’s life/safety, or provide a good/service requested by the consumer when the company can prove there is no reasonable alternative to using ADMT.

Risk Assessments

CPPA’s draft would require companies to conduct a risk assessment before engaging in certain high-risk processing. The assessment needs to cover specific—and highly granular—topics stated in the rules. [This detailed assessment is more akin to Colorado’s requirements rather than the more general provisions in other comprehensive privacy laws, such as Virginia’s requirements.] A company must annually submit abridged copies of its assessments, unless the company did not proceed with the at-issue processing. A company cannot proceed with processing that triggered a risk assessment if it concludes that the risks to consumer privacy outweigh any benefits to consumers, the company or others.

We summarize the important topics in the draft risk-assessment rules below:

• High-Risk Processing. An assessment is required before: (1) selling personal information or using it for targeted advertising; (2) processing sensitive personal information (except for limited hiring purposes); (3) using ADMT in a way that triggers an opt-out right (see above), or (4) processing data on people under 16. CPPA will also consider requiring a risk assessment for training ADMT or artificial intelligence for various purposes (e.g., generating deep fakes, profiling for behavioral advertising, or conducting facial recognition).
• Assessors. The assessment is an interdisciplinary effort requiring input from stakeholders across a company, although the company can rely on third parties to identify, assess and mitigate risks. But if ADMT or artificial intelligence are involved, the company must either consult with third parties or explain why it did not consult with them and state what safeguards were implemented to address risks that may arise from the lack of consultation.
• Content. A company must address in its assessment a laundry list of elements specified by CPPA. The required topics cover issues such as the data, purpose, safeguards, benefits to the consumer or others, negative impacts for the consumer, and operational details (e.g., collection method and technology involved).
• ADMT and Artificial Intelligence Disclosures. There are more rigorous assessment obligations when (1) using ADMT for purposes that could trigger an opt-out right or (2) processing information to train ADMT or artificial intelligence when either will be made available to third parties.
• Leadership Review. A company must present the assessment or a summary to the board of directors (or equivalent). If no such body exists, the company must share the details with the highest-ranking executive responsible for overseeing risk-assessment compliance.
• Timing. A company must conduct the assessment before the processing begins and then review the assessment at least once every three years. Although CPPA will consider requiring more frequent reviews for ADMT assessments.
• Updates. A company must update its assessment when there is a material change—i.e., something that diminishes the benefits, creates new negative impacts, increases the magnitude/likelihood of preexisting negative impacts, or diminishes the effectiveness of existing safeguards.
• Retention. A company must retain all assessments, including prior versions, until the latter of five years after the company completed the assessment or the processing. [The proposal is a bit ambiguous; one reading would allow you to dispose of the assessment when the processing ends, so long as that is at least five years after the assessment was created.]
• Preexisting Processing. For ongoing processing that begins prior to the rules taking effect, a company must conduct a risk assessment—when warranted based on the triggers above—within 24 months of the rules’ effective date.
• Consolidated Assessments. A company can conduct one assessment for comparable processing (similar activities with similar risks) and can rely on an assessment performed for another jurisdiction that meets CPPA requirements. CPPA will discuss requiring companies to add an addendum explaining how the existing assessment meets those requirements. [If the assessment for the other jurisdiction does not meet CPPA’s requirements, the company can supplement the assessment with the missing details.]
• Regulatory Submissions. A company must submit assessment materials—a compliance certification and abridged assessments—each year to CPPA. Upon CPPA’s request, a company must submit unabridged assessments within five business days.

Cybersecurity Audits

CPPA proposes requiring companies to complete a cybersecurity audit using an internal or external auditor if they meet a revenue threshold and processing-volume threshold. The auditors must assess and document whether a company’s program is appropriate to their size, complexity and processing activities in light of the state of the art and cost to implement additional safeguards. In doing so, the auditors must evaluate elements specified in the regulation, identify gaps/weaknesses in the program, address the remediation status of previously identified gaps/weaknesses, and identify corrections or amendments to prior audits. If shortcomings are identified, the report must document the plan to address those issues—including by explaining what resources the company allocated to the problem and the timeframe for resolving the problem.

More details on these audits are below:

• Trigger. A company must complete an audit if it either (1) derives at least 50% of its revenue from selling/sharing personal information or (2) meets an annual-revenue threshold ($25, $50 or $100 million) and one of three annual-volume thresholds. The volume thresholds depend on the information’s sensitivity: personal information (250k, 500k or 1 million consumers), sensitive personal information (50k, 100k or 200k consumers), or minors’ data (50k, 100k or 200k consumers). CPPA is still evaluating where to set the volume and annual-revenue thresholds.
• Timing. Companies must complete their first audit within 24 months of the rules becoming effective, and then they must complete new audits annually.
• Scope. The audit must assess the cybersecurity program’s written documentation, safeguards specified in the regulation (e.g., encryption, vulnerability scans and vendor management), and risks from cybersecurity threats that are reasonably likely to materially affect consumers. The audit must also describe breach notices provided to California consumers or other regulators.
• Recipient. The audit must be reported to the board of directors (or equivalent) or, when no such body exists, the highest-ranking executive responsible for the cybersecurity program.
• Executive Certification. A member of the company’s board (or highest-ranking executive responsible for cybersecurity) must personally certify that (1) they reviewed and understand the findings and (2) the company did not attempt to influence the audit.
• Regulatory Certification. The company must provide CPPA with a written certification of compliance with the audit requirements (or submit a written acknowledgment noting they did not fully comply and provide a remediation timeline).
• Other Audits. A company may rely on audits completed for other jurisdictions or certifications if the company explains how that audit satisfies CCPA’s requirements.

Next Steps

CPPA will discuss these drafts at their upcoming December 8 meeting, where we may learn when they will start the formal rulemaking process. Once that process starts, it kicks off the comment-and-revision loop under California administrative-procedure law (the Office of Administrative Law has a handy FAQ about the process). Proposed rules are subject to an initial 45-day comment period, after which the agency must review and address all submitted comments—which introduces a wild card into the timing equation. Any revisions will likely require an additional comment period of 15 or 45 days, depending on the extent of the changes, and more agency responses. (Rinse and repeat, as necessary.) CPPA would then submit the rules for approval by the Office of Administrative Law, which would in turn have 30 days to deliver them to the California Secretary of State for publication.

Potential Effective Dates

When would the rules be effective, you ask? Great question. How about a three-part, contingent answer? The rules could take effect one year after the Secretary of State publishes them, under the terms of a trial court order requiring CPPA to wait one year for regulations to become effective. But CPPA is appealing that ruling. So, what happens if the ruling is overturned? Well, under normal procedure, the effective date depends on when final rules are delivered to the Secretary of State:

But an agency can also ask for an expedited effective date—which is what happened with earlier CCPA regulations. That means CPPA’s new rules could be deemed effective as of the date CPPA submits them to the Secretary of State.

In short, the potential effective date for these rules may vary widely. We are continuing to monitor their status and provide updates as they become available.