Latest CCPA Rulemaking Package Enters Public Comment Period

In November 2024, the California Privacy Protection Agency (CPPA) opened the formal public comment period for its latest proposed rulemaking package to amend the California Consumer Privacy Act (CCPA).

Here is a breakdown of the significant proposed rule changes:

Cybersecurity Audits

This proposed regulation would require businesses to conduct cybersecurity audits if they meet either of the following criteria:

• Processed the personal information of 250,000 or more consumers or households
• Processed the sensitive personal information of 50,000 or more consumers

Businesses would have 24 months from the effective date to complete their first audit. Following the initial audit, an audit would be required every calendar year. Companies should use a qualified, objective, and independent auditor. If the auditor is internal, they would have to report directly to the business’s board, governing body, or the business’s highest-ranking executive who is not directly responsible for the cybersecurity program.

The audit would be required to identify, assess, and document the following components of the business’s cybersecurity program:

• Authentication, including multi-factor authentication and strong unique passwords or passphrases
• Encryption of personal information, at rest and in transit
• Zero trust architecture
• Account management and access controls
• Inventory and management of personal information and the business’s information system
• Secure configuration of hardware and software
• Internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting
• Audit-log management, including the centralized storage, retention, and monitoring of logs
• Network monitoring and defenses
• Segmentation of an information system
• Limitation and control of ports, services, and protocols
• Cybersecurity awareness, education, and training
• Secure development and coding best practices
• Oversight of service providers, contractors, and third parties
• Retention schedules and proper disposal of personal information no longer required to be retained
• How the business manages its responses to security incidents
• Business continuity and disaster recovery plans, including data-recovery capabilities and backups

Risk Assessments

The proposed regulation would also require a risk assessment to determine whether the risks to consumers’ privacy outweigh the benefits of a given processing activity. Assessments would be required when a business sells or shares personal information or processes sensitive personal information. A risk assessment would also be required when a business uses Automated Decisionmaking Technology (ADMT) for a significant decision concerning a consumer or extensive profiling.

Businesses would use the risk assessment to identify:

• Why they will be processing consumers’ personal information
• The categories of personal information to be processed, whether they include sensitive personal information, and the minimum personal information necessary to achieve the purpose of the processing
• Its actions to maintain data quality for certain uses of ADMT or AI
• The operational elements of the processing activity
• The benefits to the business, the consumer, other stakeholders, and the public from the processing of personal information
• The negative impacts on consumers’ privacy associated with the processing
• The safeguards it plans to implement to address the negative impacts

Businesses would be required to conduct and document their risk assessments before initiating any of the triggering activities. They would also need to review their risk assessments at least once every three years for accuracy and update them as needed. Risk assessment updates would also be required whenever there is a material change to the processing activity.

Automated Decisionmaking Technology

The proposed regulations would create requirements for businesses that use Automated Decisionmaking Technology for:

• A significant decision concerning a consumer
• Extensive profiling of a consumer
• Training uses of ADMT

The proposed requirements include:

• A business that uses physical or biological identification or profiling for a significant decision concerning a consumer, or extensive profiling of a consumer, to evaluate the physical or biological identification or profiling to ensure that it works as intended for the business’s proposed use and does not discriminate based upon protected classes
• A business using ADMT must provide a pre-use notice to consumers that informs them about the business’s use of ADMT and the consumers’ rights to opt out of, and to access information about, the use of ADMT
• A business must provide consumers with the ability to opt out of the business’s use of ADMT if the ADMT is used for a significant decision, extensive profiling, or training uses of ADMT
• Businesses must provide two or more methods for submitting opt-out of ADMT requests, with at least one method reflecting how the business primarily interacts with the consumer
• When a consumer has opted out of ADMT before the business initiated the processing, the business must not initiate processing of the consumer’s personal information using that ADMT
• Businesses must provide consumers with the ability to access information about the business’s use of ADMT for significant decisions and extensive profiling but does not require businesses using ADMT solely for training to respond to a consumer’s request to access ADMT
• Businesses must provide a plain language explanation of how the ADMT works concerning the consumer
• Businesses must verify the identity of the person requesting to access ADMT
• A business that uses ADMT to make an adverse significant decision concerning a consumer must provide the consumer with notice of their right to access ADMT as soon as feasibly possible and no later than 15 business days from the date of the adverse significant decision

Insurance Companies

This proposed regulation clarifies that insurance companies meeting the definition of “businesses” under the CCPA shall comply with the law regarding any personal information collected, used, processed, or retained that is not subject to the California Insurance Code. The proposal acknowledges that the CCPA and Insurance Code may overlap in their jurisdiction and delineate the boundary between the two legal frameworks. By clarifying the circumstances under which the CCPA applies, the proposed regulations would allow insurance companies to evaluate how the CCPA would apply in situations where the Insurance Code does not apply.

The full text for the proposed CCPA rulemaking can be found here.

The public comment period is open until January 14, 2025. You can submit any feedback you have to regulations@cppa.ca.gov.

CompliancePoint has a team of experienced privacy professionals dedicated to helping organizations comply with privacy regulations, including the CCPA, GDPR, and all other applicable state laws. Reach out to us at connect@compliancepoint.com to learn more about how we can help.