On July 15, 2024, the California Privacy Protection Agency (CPPA) released proposed updates to the California Consumer Privacy Act (CCPA) regulations, including updates to the draft risk assessments, automated decisionmaking technology (ADMT), cybersecurity audits and insurance companies’ regulations. The CPPA board did not vote to send the revised proposals to final rulemaking during its July 16 meeting due to reservations about certain key concepts, such as the broad definition of ADMT. At this stage, the CCPA is unlikely to finalize the proposed rules this calendar year.

As we have written previously, these regulations will usher in significant operational changes for businesses. It is therefore prudent for companies to start preparing now and continue to monitor how the CPPA will tweak the rules around the edges.

IN DEPTH

GENERAL UPDATES TO EXISTING REGULATIONS

The latest draft regulations include several minor revisions to existing CCPA regulations, including the following:

• Recharacterizing the “right not to receive discriminatory treatment” as the “right not to be retaliated against and clarifying that this right also applies to applicants of educational programs, job applicants and students.
• Permitting companies to change the color of the alternative opt-out button to allow it to stand out on a webpage.
• Adding several examples to illustrate how to apply the rules, including ways a company can process data for internal purposes.

AUTOMATED DECISIONMAKING TECHNOLOGY REGULATIONS

Top of mind for the CPPA drafters is the definition of ADMT. The proposed definition of ADMT is “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” Excluded from this definition are certain technologies like spreadsheets or databases, provided they are not substantially facilitating or replacing human decisionmaking.

The latest draft features an example scenario to try to cut through the definitional morass:

“For example, a business’s use of a spreadsheet to run regression analyses on its top-performing managers’ personal information to determine their common characteristics, and then to find co-occurrences of those characteristics among its more junior employees to identify which of them it will promote is a use of automated decisionmaking technology, because this use is replacing human decisionmaking. By contrast, a manager’s use of a spreadsheet to input junior employees’ performance evaluation scores from their managers and colleagues, and then calculate each employee’s final score that the manager will use to determine which of them will be promoted is not a use of automated decisionmaking technology, because the manager is using the spreadsheet merely to organize human decisionmakers’ evaluations.”

Although the example above is a step in the right direction, the ADMT definition still leaves much in the gray. Too much subjectivity and potential scope variance in the definition will undoubtedly lead to confused application and enforcement of the ADMT rules.

The draft regulations also include new privacy rights related to ADMT, which could create operational challenges for businesses; these include the rights to:

• Access ADMT, which would allow a consumer to access information about the business’s use of ADMT with respect to that consumer.
• Request to appeal ADMT, which would allow a consumer to appeal a significant decision made on the basis of ADMT.
• Opt out of ADMT, which would allow a consumer to opt out of the use of ADMT in limited circumstances.

RISK ASSESSMENTS REGULATIONS

As described in our previous article, the new regulations governing risk assessments require businesses to annually submit to the CPPA an abridged form of the business’s privacy risk assessment of any processing that “presents significant risk to consumers’ privacy.” The draft regulations revise the content requirements of the abridged risk assessments to include a plain-language explanation of the safeguards the business implemented or plans to implement to mitigate the negative impacts to a consumer’s privacy associated with the processing.

CYBERSECURITY AUDITS REGULATIONS

The draft regulations propose limiting the requirements of cybersecurity audits in certain circumstances by removing the following from the December 2023 draft:

• The requirement that businesses assess and document in their cybersecurity audit how their cybersecurity program protects consumers from the negative impacts associated with data breaches.
• The option for businesses to annually submit a written acknowledgement that the business is not in full compliance with the cybersecurity audit rules. Instead, businesses may only annually submit a written certification that the business complied with the requirements.

INSURANCE COMPANIES’ REGULATIONS

As discussed in our previous article, the December 2023 draft regulations introduced new regulations applying to insurance companies. Those regulations clarified that insurance companies that meet the definition of “business” under the CCPA should comply with the CCPA with regard to any personal information not subject to the California Insurance Code. The new draft further clarified these requirements by adding several illustrative examples without materially changing how they apply.

WHAT’S NEXT?

The CPPA board continues to debate the definition of ADMT and the resulting economic impact of this and other changes to the regulations. They have delayed finalizing the rules until at least September, which could mean that the rules could be finalized in early 2025 and come into effect later that summer.

[View source.]