On August 28, 2023, the California Privacy Protection Agency (the "Agency") released two sets of draft regulations under the California Consumer Privacy Act (the "CCPA"), one for risk assessments and another for cybersecurity audits, as part of the Agency's informal rulemaking process. We discuss the draft cybersecurity audits in California Proposes Annual Audits to Assess Sufficiency and Compliance of Company Cybersecurity. This post discusses the draft risk assessment regulations (the "Draft Regulations").
With the introduction of the Draft Regulations, California seeks to join Colorado, Connecticut, and several other states with the requirement to assess processing activities that present a significant or heighted risk of harm to consumers. The Draft Regulations follow a developing trend in US data privacy law to formalize certain privacy governance models, including by requiring businesses to assess potentially harmful processing activities. The Draft Regulations refer to the assessments as risk assessments whereas other US state comprehensive privacy laws, such as the Virginia Consumer Data Protection Act (the "VCDPA") and the Colorado Privacy Act (the "CPA"), refer to the assessments as data protection assessments. We use the terms "data protection assessment" and "risk assessment" interchangeably throughout this post.
Processing Activities that would Trigger an Obligation to Conduct a Risk Assessment
The list of processing activities that trigger the obligation to conduct risk assessments are similar across Colorado, Virginia, and other states with comprehensive privacy laws in that it includes processing personal information for targeted advertising, selling personal information, using automated technology to process personal information for certain purposes, and processing sensitive information. The Draft Regulations include similar triggers from other US state comprehensive privacy laws but would require assessments in broader circumstances than risk assessment under those same laws. For instance, the Draft Regulations and the VCDPA require businesses to conduct a risk assessment for selling personal information. But the CCPA's definition of "sale" encompasses the exchange of personal information for monetary or other valuable consideration whereas the VCDPA defines "sale" more narrowly to only include the exchange of personal information for monetary consideration. As a result, the trigger to conduct a risk assessment would be broader under the Draft Regulations than the VCDPA.
Similarly, the Draft Regulations and other US state comprehensive privacy laws require businesses to conduct a risk assessment for the processing of children's personal information. However, the Draft Regulations require a risk assessment for the processing of personal information of consumers that businesses have actual knowledge are less than sixteen years of age as compared to thirteen years of age in other US state comprehensive privacy laws like Colorado and Connecticut.
The Draft Regulations would also add new triggers that may not otherwise create risk assessment obligations under other US state comprehensive privacy laws, such as (i) processing employees or job applicants' personal information using monitoring technology or (ii) processing personal information to train artificial intelligence models. Like the European Union's General Data Protection Regulation, the Draft Regulations also require businesses to conduct risk assessments when processing the personal information of consumers in publicly accessible places.
Content Requirements of Risk Assessments
The Draft Regulations' content requirements for risk assessments are comparable to the content requirements for data protection assessments under the CPA and its implementing regulations although there are some differences. For example, both the Draft Regulations and the CPA regulations require businesses to analyze and document the processing activity's risks to consumers in a risk assessment and data protection assessment, respectively. Yet the draft regulations require businesses to consider a specific list of enumerated harms to consumers whereas the CPA regulations provide a list of harms to consumer rights that businesses may consider. The draft regulations also set forth a list of safeguards that businesses must consider implementing to address the harms that the businesses are required to identify, which is more extensive than the safeguards businesses must evaluate under the CPA.
The Draft Regulations would require businesses to include certain information in their risk assessments if they use automated decisionmaking technology or process personal information to train artificial intelligence or automated decisionmaking technology, such as a plain-language explanation of the logic of automated decisionmaking technology. Some of the content requirements are derived from the National Institution of Standards and Technology ("NIST") AI Risk Management Framework, including documenting how the business evaluates its use of automated decisionmaking technology for validity, reliability, and fairness.
Security and Trade Secret Protections
The Draft Regulations do not require the Agency or the California attorney general to implement security measures to protect information contained in the risk assessments, although businesses must make their risk assessments available to the Agency and the attorney general upon request. The lack of security protections may create a material risk to businesses given the breadth of the content requirements set forth in the Draft Regulations.
The Draft Regulations do not expressly exempt businesses from including information in a risk assessment that would reveal a trade secret but the statutory provisions of the CCPA state that nothing in the CCPA shall require a business to divulge trade secrets. Businesses may rely on the statutory trade secret protection to avoid disclosing information revealing trade secrets in a risk assessment.
Service Provider and Contractor Requirements
The Draft Regulations would require service providers and contractors to assist a business for which they process personal information with conducting risk assessments by making available information necessary to conduct the assessments. The service provider or contractor agreement with the business could explicitly require the service provider or contractor to provide such assistance.
Timing, Periodic Review, and Retention Requirements
Businesses would be required to update their risk assessment whenever there is a material change in the processing activity that triggered the obligation to conduct it. Additionally, the Agency is considering two options with respect to when businesses would need to review (and update as necessary) their risk assessments even without any material change. The Draft Regulations first propose that businesses should review and update their risk assessments once every three years. Alternatively, businesses would need to conduct a periodic review as necessary to ensure that the risk assessments remain accurate, except businesses would be required to review and update risk assessments for processing that uses automated decisionmaking technology subject to access and opt-out rights either annually, biannually, or once every three years.
The Draft Regulations would require businesses to maintain risk assessments, including prior versions that businesses have revised due to a material change in processing, for as long as the processing continues, and for at least five years after the later of the completion of the risk assessment or the conclusion of the processing.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.