Draft CCPA Regulations Address AI, Risk Assessments, and Audits

The California Privacy Protection Agency unveiled Draft CCPA Regulations addressing AI, Risk Assessment and Audits. Learn what is new and what is likely to have the most impact on businesses.

On August 29, 2023, the California Privacy Protection Agency (CPPA) Board unveiled Draft Regulations on Risk Assessment and Cybersecurity Audit (Draft Regulations) to modify and add to the existing California Consumer Privacy Act (CCPA) regulations.  

At a high level, the Draft Regulations create new compliance obligations for businesses processing consumers’ personal information by requiring them to conduct risk assessments and annual cybersecurity audits. The documents also include such new terms as “Artificial Intelligence” and “Automated Decisionmaking Technology.

While the rulemaking process is ongoing, the Draft Regulations provide a glimpse into future requirements for businesses. Let’s figure out what is likely to have the most impact on business operations.

What’s New in the Draft Regulations?

The Draft Regulations provide new definitions of “Artificial Intelligence” and “Automated Decisionmaking Technology”.

Artificial Intelligence (AI) is an engineered or machine-based system designed to operate with different levels of autonomy and that can make predictions, recommendations, or decisions that influence physical or virtual environments. This includes generative models, such as language models and facial or speech recognition or detection technology.

Automated Decisionmaking Technology is any system, software, or process that handles personal information and employs computational methods, either entirely or partially, to reach or aid in decisions, including facilitating human decision-making. This technology encompasses profiling, which involves the automated processing of personal information to assess specific characteristics of an individual, especially for the purpose of analyzing or forecasting aspects related to their job performance, financial situation, health, personal preferences, interests, trustworthiness, conduct, whereabouts, activities, or other sensitive information.

Both, Artificial Intelligence and Automated Decisionmaking add new security and privacy risks to sensitive data processing that require new controls. Thus, considering them in one of the most substantial U.S. data privacy regulations is necessary. 

More precisely, the Draft Regulations would mandate plain language explanations regarding the underlying logic of AI and Automated Decisionmaking. Additionally, it would require disclosure of the extent and specifics of human involvement in the business’s utilization of AI. They also require disclosing the protective measures the business intends to establish to address potential adverse effects on consumers’ privacy tied to the use of AI and Automated Decisionmaking Technologies.

Draft Risk Assessment Regulations

According to the new CCPA Draft Regulations, businesses that handle consumers’ personal information in a way that could pose a substantial risk to consumers’ privacy must perform a risk assessment prior to commencing such data processing. Examples of processing activities posing a significant risk to consumers’ privacy and thus necessitating a risk assessment include:

  • selling or sharing personal information;
  • processing sensitive personal information;
  • using Automated Decisionmaking Technology to support a decision that leads to either granting or denying specific financial services, employment, or access to essential goods, services, or opportunities;
  • processing personal information of minors under 16; 
  • Processing the personal information to monitor employees, independent contractors, job applicants, or students.
  • Processing personal information in publicly accessible places using technology to monitor behavior, location, movements, or actions.
  • Processing personal information of consumers to train Artificial Intelligence or Automated Decisionmaking Technology.

For instance, a business that processes consumers’ photos to extract faceprints for training facial recognition technology must conduct a risk assessment because it involves processing consumers’ personal data for AI training. Similarly, a personal budgeting application that processes consumers’ income data to target them with ads for payday loans on various websites must conduct a risk assessment because it involves the “sharing” of personal information.

What are the Requirements of the Risk Assessment?

The Draft enumerates ten categories of information required to be included in risk assessments under CCPA. At a minimum, a risk assessment shall include the following information:

  • A short summary of the processing that presents a significant risk to consumers’ privacy. The summary shall describe how the business will process the personal information, including how the business will collect, use, disclose, and retain personal information.
  • The categories of personal information to be processed
  • The context of the processing activity (relationship between the business and the consumers whose personal information will be processed.)
  • The consumers’ reasonable expectations concerning the purpose for processing their personal information, or the purpose’s compatibility with the context in which their personal information was collected. 
  • The operational elements of the processing ( e.g. the business’s planned method for processing; how long the business will retain personal information; the technology to be used in the processing, etc.)
  • The purpose of processing consumers’ personal information.
  • The benefits resulting from the processing to the business, the consumer, other stakeholders, and the public. 
  • The negative impacts on consumers’ privacy associated with the processing, including the sources of these negative impacts. 
  • The safeguards that the business plans to implement to address the negative impacts identified in subsection
  • The business’s assessment of whether the negative impacts are mitigated by the implemented safeguards outweighs the benefits. 

Under the Draft Regulations, businesses should review their risk assessments at least once every three years, and update as necessary. Finally, the Draft Regulations permit businesses to conduct a single risk assessment for processing activities that present similar risks to consumers’ privacy. It also alleviates the need to conduct a duplicative risk assessment if the business has already conducted and documented a risk assessment under another law or regulation that meets all the requirements of the CCPA Regulations. 

Draft Cybersecurity Audit Regulations

The Draft Regulations relating to cybersecurity audits require that businesses engaged in processing consumers’ personal information in a manner that poses a substantial risk to their privacy or security are obligated to conduct annual cybersecurity audits. Businesses shall have 24 months from the effective date of the regulations to complete their first cybersecurity audit. 

The rulemaking process is still ongoing so requirements for cybersecurity audits are still being defined. 

How Planet 9 Can Help? 

Planet 9 employs seasoned professionals with years of experience working in various industries that can help with addressing CCPA requirements. A typical approach consists of the following process:

  • conduct discovery to understand the client’s organization, business processes, and technologies;
  • identify all client’s data and third parties in the CCPA scope;
  • perform a CCPA assessment to identify compliance gaps;
  • develop a roadmap for addressing the identified compliance gaps and risks;
  • assist the client in executing the roadmap.

If you need any help with information security and compliance services, we’ll be happy to assist:

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646

Leave a Reply