The California Privacy Protection Agency unveiled Draft CCPA Regulations addressing AI, Risk Assessment and Audits. Learn what is new and what is likely to have the most impact on businesses.
On August 29, 2023, the California Privacy Protection Agency (CPPA) Board unveiled Draft Regulations on Risk Assessment and Cybersecurity Audit (Draft Regulations) to modify and add to the existing California Consumer Privacy Act (CCPA) regulations.
At a high level, the Draft Regulations create new compliance obligations for businesses processing consumers’ personal information by requiring them to conduct risk assessments and annual cybersecurity audits. The documents also include such new terms as “Artificial Intelligence” and “Automated Decisionmaking Technology.”
While the rulemaking process is ongoing, the Draft Regulations provide a glimpse into future requirements for businesses. Let’s figure out what is likely to have the most impact on business operations.
The Draft Regulations provide new definitions of “Artificial Intelligence” and “Automated Decisionmaking Technology”.
Artificial Intelligence (AI) is an engineered or machine-based system designed to operate with different levels of autonomy and that can make predictions, recommendations, or decisions that influence physical or virtual environments. This includes generative models, such as language models and facial or speech recognition or detection technology.
Automated Decisionmaking Technology is any system, software, or process that handles personal information and employs computational methods, either entirely or partially, to reach or aid in decisions, including facilitating human decision-making. This technology encompasses profiling, which involves the automated processing of personal information to assess specific characteristics of an individual, especially for the purpose of analyzing or forecasting aspects related to their job performance, financial situation, health, personal preferences, interests, trustworthiness, conduct, whereabouts, activities, or other sensitive information.
Both, Artificial Intelligence and Automated Decisionmaking add new security and privacy risks to sensitive data processing that require new controls. Thus, considering them in one of the most substantial U.S. data privacy regulations is necessary.
More precisely, the Draft Regulations would mandate plain language explanations regarding the underlying logic of AI and Automated Decisionmaking. Additionally, it would require disclosure of the extent and specifics of human involvement in the business’s utilization of AI. They also require disclosing the protective measures the business intends to establish to address potential adverse effects on consumers’ privacy tied to the use of AI and Automated Decisionmaking Technologies.
According to the new CCPA Draft Regulations, businesses that handle consumers’ personal information in a way that could pose a substantial risk to consumers’ privacy must perform a risk assessment prior to commencing such data processing. Examples of processing activities posing a significant risk to consumers’ privacy and thus necessitating a risk assessment include:
For instance, a business that processes consumers’ photos to extract faceprints for training facial recognition technology must conduct a risk assessment because it involves processing consumers’ personal data for AI training. Similarly, a personal budgeting application that processes consumers’ income data to target them with ads for payday loans on various websites must conduct a risk assessment because it involves the “sharing” of personal information.
The Draft enumerates ten categories of information required to be included in risk assessments under CCPA. At a minimum, a risk assessment shall include the following information:
Under the Draft Regulations, businesses should review their risk assessments at least once every three years, and update as necessary. Finally, the Draft Regulations permit businesses to conduct a single risk assessment for processing activities that present similar risks to consumers’ privacy. It also alleviates the need to conduct a duplicative risk assessment if the business has already conducted and documented a risk assessment under another law or regulation that meets all the requirements of the CCPA Regulations.
The Draft Regulations relating to cybersecurity audits require that businesses engaged in processing consumers’ personal information in a manner that poses a substantial risk to their privacy or security are obligated to conduct annual cybersecurity audits. Businesses shall have 24 months from the effective date of the regulations to complete their first cybersecurity audit.
The rulemaking process is still ongoing so requirements for cybersecurity audits are still being defined.
Planet 9 employs seasoned professionals with years of experience working in various industries that can help with addressing CCPA requirements. A typical approach consists of the following process:
If you need any help with information security and compliance services, we’ll be happy to assist: