720-891-1663

California Releases Draft Audit and Risk Assessment Regs

The California Privacy Protection Agency, the government agency that enforces the California Privacy Rights Act, has released two DRAFT documents recently. They are going to discuss the drafts at their meeting tomorrow but they have not yet started the rulemaking process.

The two regulations are the cybersecurity audit regulations and the cyber risk assessment regulations.

Some of the main points of the audit regulations are:

  • Outline the requirement for annual cybersecurity audits for businesses “whose processing of consumers’ personal information presents significant risk to consumers’ security”;
  • Outline potential standards used to determine when processing poses a “significant risk”;
  • Propose options specifying the scope and requirements of cybersecurity audits; and
  • Propose new mandatory contractual terms for inclusion in Service Provider data protection agreements.

For the risk assessment regulations, some of the key points include:

  • Propose new and distinct definitions for Artificial Intelligence and Automated Decision-making technologies;
  • Identify specific processing activities that present a “significant” risk of harm to consumers, requiring a risk assessment. These activities include:
    • Selling or sharing personal information; Processing sensitive personal information (outside of the traditional employment context);Using automated decision-making technologies; Processing the information of children under the age of 16; Using technology to monitor the activity of employees, contractors, job applicants, or students; or
    • Processing personal information of consumers in publicly accessible places using technology to monitor behavior, location, movements, or actions.
  • Propose standards for stakeholder involvement in risk assessments;
  • Propose risk assessment content and review requirements;
  • Require that businesses that train AI for use by consumers or other businesses conduct a risk assessment and include with the software a plain statement of the appropriate uses of the AI; and
  • Outline new disclosure requirements for businesses that implement automated decision-making technologies.

Even if you are not required to comply with this right now, think about this. Two years ago there was one state with a second-generation privacy law. Now there are more than a dozen. It is moving very fast.

Credit: Ballard Spahr

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *