The California Privacy Protection Agency (CPPA) is the first state agency in the US dedicated to enforcing the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA). The CPPA recently published draft regulations on risk assessments and cybersecurity audits that businesses must conduct if their processing of personal information presents significant risk to consumers’ privacy or security.
The draft regulations are not part of the formal rulemaking process yet, but they indicate the CPPA’s intent to create extensive obligations for businesses subject to these regulations. The draft regulations identify seven instances in which a risk assessment would be required, such as selling or sharing personal information, processing sensitive personal information, using automated decisionmaking technology, or processing personal information of minors, employees, or consumers in public places.
The risk assessment must identify and weigh the benefits and risks of the processing, and propose measures to mitigate the risks. The risk assessment must also consider the impact of the processing on consumers’ rights, such as the right to access, delete, correct, or opt out of their personal information. The risk assessment must be submitted to the CPPA on a regular basis, and the CPPA may request additional information or conduct an audit of the risk assessment.
The draft regulations also require businesses to conduct cybersecurity audits at least once every two years if they process personal information that presents significant risk to consumers’ privacy or security. The cybersecurity audit must evaluate the effectiveness of the business’s technical and organizational measures to protect personal information from unauthorized or unlawful access, use, disclosure, alteration, or destruction. The cybersecurity audit must be performed by an independent auditor who is certified by a recognized cybersecurity standard or framework. The cybersecurity audit report must be submitted to the CPPA upon request.
The draft regulations are subject to change and public comment before they become final. The CPPA has not yet started the formal rulemaking process for these regulations. Businesses that are subject to the CCPA and CPRA should monitor the development of these regulations and prepare to comply with them once they are effective.