PH Privacy
CPPA Declines to Advance New Draft CCPA Regulations
July 30, 2024
By Jeremy Berkowitz& Hannah Edmonds
Background and Current State of New Draft CCPA Regulations
The California Privacy Protection Agency (CPPA) Board met last week to discuss the latest updates on California Consumer Privacy Act (CCPA) draft regulations for cybersecurity audits, risk assessments, automated decision-making technology (ADMT), insurance companies, as well as updates to existing regulations. It was expected that the Board was going to approve these updates, but they instead postponed finalizing them.
Based on the CPPA Board’s decision to not move forward, the updates are still in the form of discussion drafts and there is no date set for the public comment period to begin. We do provide an overview of these updates below.
ADMT and Risk Assessment Regulations
A few key takeaways from the updates to ADMT and risk assessment requirements in the proposed draft regulations include:
- Several revised definitions, notably including, but not limited to, the following:
- ADMT – Defines parameters of what ADMT is and is not. ADMT is any technology processing personal information and using computation to execute a decision, replace human decision-making, or substantially facilitate human decision-making. While ADMT includes profiling, it does not include technologies such as web hosting, domain registration, networking, etc., if those technologies do not execute a decision, replace human decision-making, or substantially facilitate human decision-making.[1]
- Request to access ADMT – A Consumer request whereby a business provides information to the consumer about the business’s use of ADMT with respect to that customer.[2]
- Request to appeal ADMT – A Consumer request to appeal a business’s use of ADMT for significant decisions.[3]
- Request to opt-out of ADMT – A Consumer request for a business to not use ADMT with respect to that consumer.[4]
- Right to access ADMT – A Consumer’s right to request that a business provide information to them about its use of ADMT.[5]
- Profiling – Defines parameters of what profiling is, which includes any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and to analyze or predict aspects concerning that person’s intelligence, ability, aptitude at work, etc.[6]
- Updated pre-use notice requirements for ADMT – Businesses using ADMT must provide consumers with a Pre-use Notice that includes a link through which consumers can opt-out of the business’s use of ADMT.[7]
- Opt-out exceptions for ADMT – For significant decisions concerning consumers, if businesses provide consumers with a method to appeal the decision to a qualified human reviewer who has authority to overturn the decision (“human appeal exception”), those businesses are not required to provide consumers with the ability to opt-out of the business’ use of ADMT for a significant decision concerning consumers.[8]
- Revised risk assessment thresholds – Businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy as noted in § 7150 (b) must conduct a risk assessment before initiating that processing.[9] Processing activities presenting significant risk to consumers’ privacy include:
- selling or sharing, as defined in the CCPA, personal information, processing sensitive personal information,
- using ADMT for a significant decision concerning a consumer or for extensive profiling,
- or processing consumers’ personal information to train ADMT or AI that is capable of being used for specific things such as for a significant decision concerning a consumer or to establish individual identity.[10]
- Revised risk assessment requirements – Businesses must conduct risk assessments to determine whether risks to consumers’ privacy from processing personal information outweigh benefits to the consumer, the business, other stakeholders, and the public from that same processing. In doing this, businesses must identify the following:
- Purposes for processing consumers’ personal information;
- Categories of personal information to be processed and whether they include sensitive personal information;
- Benefits to the business, consumers, other stakeholders, and the public from processing personal information;
- Negative impacts to consumers’ privacy associated with the processing while identifying the sources and causes those negative impacts along with criteria the business used to make those determinations;
- Safeguards the business plans to implement to address negative impacts identified;
- Whether the business will initiate processing subject to the risk assessment;
- Contributors to the risk assessment, including individuals within the business and external parties; and
- Date the assessment was reviewed and approved along with names and positions of individuals responsible for review and approval.[11]
- Revised risk assessment submission requirements – Businesses must submit risk assessment materials for the first time within 24 months from the effective date of these regulations and annually thereafter. Materials to be submitted include a certification of conduct, risk assessments in abridged form, and risk assessments in unabridged form.[12]
Existing CCPA Regulations Updates
A few key takeaways from updates to existing CCPA Regulations in the proposed draft regulations include the below.
- Several revised definitions, notably including, but not limited to, the following
- Physical or biological identification or profiling – Identifying or profiling a consumer using information depicting or describing their physical or biological characteristics, or measurements of or relating to their body, personal information of consumers that the business has actual knowledge are less than 16 years old. Further, businesses disregarding a consumer’s age are deemed to have had actual knowledge of the consumer’s age.[13]
- Sensitive personal information – Personal information revealing elements such as consumers’ social security number, driver’s license, account log-in, financial account, geolocation, racial or ethnic origin, contents of consumers’ mail, genetic data, as well as personal information of consumers that a business has actual knowledge are less than 16 years of age. Businesses that willfully disregard consumers’ age shall be deemed to have had actual knowledge of the consumers’ age.[14]
- Systemic observation – Methodical and regular or continuous observation, such as when using Wi-Fi or Bluetooth tracking.[15]
- Denying consumer requests – Where a business denies consumer requests to delete (in whole or in part), to correct, to know, to opt-out of sale or sharing, or to limit business use of sensitive personal information to that which is necessary to perform services or provide goods reasonably expected by an average consumer who requests those goods or services, that business must also inform consumers that they can file a complaint with the CPPA and the Attorney General as well as provide links to the complaint forms on their respective website.[16]
- Verification of consumer requests – Businesses must first match identifying information provided by a consumer to that consumer’s personal information already maintained by the business before requesting additional information.[17]
- Service providers and contractors – Service providers’ or contractors’ retention use, or disclosure of personal information pursuant to their written contracts with businesses must be reasonably necessary and proportionate for the purposes state in the contract.[18]
Next steps
As explained at the outset of this article, the CPPA Board has declined to advance to formal rulemaking CCPA draft regulations on cybersecurity audits, risk assessments, ADMT, insurance companies, and updates to existing regulations. As such, the updates are still in the form of discussion drafts and there is no date set for the public comment period to begin yet. Paul Hastings will continue to monitor any future progress regarding the draft regulations and updates to existing regulations.
If you have any questions concerning these draft CCPA regulations or updates to existing CCPA regulations, please do not hesitate to contact any member of our team.
[1] 11 CCR § 7001 (f)
[2] 11 CCR § 7001 (mm)
[3] 11 CCR § 7001 (nn)
[4] 11 CCR § 7001 (tt)
[5] 11 CCR § 7001 (vv)
[6] 11 CCR § 7001 (kk)
[7] 11 CCR § 7010 (c)-(d)
[8] 11 CCR § 7221 (b)(2)
[9] 11 CCR § 7150 (a)
[10] 11 CCR § 7150 (b)(1)-(4)
[11] 11 CCR § 7152 (a)-(b)
[12] 11 CCR § 7157 (a)-(b)
[13] 11 CCR § 7001 (gg)
[14] 11 CCR § 7001 (ccc)
[15] 11 CCR § 7001 (eee)
[16] 11 CCR §§ 7022 (g)(5), 7023 (f)(6), 7024 (e)(3), 7026 (e), 7027 (f)
[17] 11 CCR § 7060 (c)(1)
[18] 11 CCR § 7050 (a)
Contributors
Practice Areas
Data Privacy and Cybersecurity
Privacy and Cybersecurity Solutions Group