On Nov. 27, the California Privacy Protection Agency (the Agency) published its draft Regulations for Automated Decision Making Technology (ADMT), its draft Risk Assessment Regulations, and a revised draft of Cybersecurity Audit Regulations. On Dec. 8, the Agency board (Board) held a public meeting to discuss the draft regulations prior to starting the formal rulemaking process. The publication of these draft regulations is intended to facilitate public discussion and participation, which means the effective date of the regulations is not determined.
Board meeting results
● The Cybersecurity Audit Regulations are moving forward in the formal rulemaking process;
● ADMT and Risk Assessment Regulations were sent back to staff for revisions; and
● The Agency approved a legislative proposal to require browsers to offer opt-out preference signals.
For historical context, each regulation was in a different phase of approval when submitted to the Board. The Cybersecurity Audit Regulations were initially submitted via subcommittee on Sept. 8, and sent back to the Agency for revision. The ADMT regulations were submitted directly from the CPPA staff (not subcommittee). The Risk Assessment Regulations are the initial draft from the subcommittee. In other words, the Board had previously discussed the Cybersecurity Audit Regulations and this was the Board's first meeting to discuss the proposed regulations on ADMT and risk assessments.
What's to come
Cybersecurity Audits. Initially, the scope of the cybersecurity audits was unclear because the initial draft regulations provided, "every business whose processing of consumers' personal information presents significant risk to consumers' security ... complete a cybersecurity audit." Given this language, it was not clear what a "significant risk to consumers' security" meant. The newly adopted regulations resolve this ambiguity by presenting the following applicability:
● Businesses that derive 50% or more of their annual revenue from selling or sharing consumers' personal information (i.e., data brokers), or
● Having a $25 million gross annual review, and either
- Processing the personal information of 250,000 or more consumers in the preceding calendar year;
- Processing the sensitive personal information of 50,000 consumers in the preceding calendar year; or
- Processing the personal information of 50,000 consumers the business has actual knowledge were under the age of 16.
A covered business would have two years from the effective date of the regulation to fulfill its audit obligations, and thereafter such audits must be completed yearly. The audit must assess and document the business's cybersecurity program which can be a burdensome exercise. The Board is looking into the economic impact of such requirements and it is possible the regulations will be amended.
ADMT Regulations. The Board raised concerns the proposed regulations were overly broad. The proposed regulations defined ADMT as, "any system, software, or process - including one derived from machine learning, statistics, or other data-processing or artificial intelligence - that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making." This last portion, "facilitate human decision-making," implies the expansive nature of activities that will fall within this definition, since it covers certain systems that support human activity and thus are not fully automated. Board member Alastair Mactaggart was particularly concerned with aspects of the regulations pertaining to an employee's ability to opt-out of certain ADMT, which could interfere with some human resource tools that monitor employee performance and safety.
The proposed regulations would require covered businesses to:
(1) provide a "pre-use" notice;
(2) provide a right to access the purposes of ADMT and the processes for making decisions about consumers; and
(3) opt-out rights.
The opt-rights would be limited to the following:
(a) for "a decision that produces legal or similarly significant effects" concerning a consumer;
(b) in the employment context (as discussed below); and
(c) in a publicly accessible place.
Note that in the employment context, ADMT includes using keystroke loggers, productivity or attention monitors, video or audio recording, live streaming, facial or speech recognition or detection, automated emotion assessment, location trackers, speed trackers, web-browsing, mobile-applications, or social-media monitoring tools.
Risk Assessments. In addition to the cybersecurity audits discussed above, the proposed regulations would also require a covered business to conduct regular risk assessments. Before a business uses ADMT for any of the following purposes, the business would be required to conduct a risk assessment:
(1) for a decision that produces legal or similarly significant effects concerning a consumer;
(2) profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student;
(3) profiling a consumer while they are in a publicly accessible place; or
(4) profiling for behavioral advertising.
A certificate of compliance is not required until 24 months after the regulations take effect, and the Board leaned toward a requirement of three years thereafter for recertification. Additionally, upon request, a business must provide the Agency with a risk assessment within five days of such request.
Legislative Proposal. In a unanimous decision the Agency voted to propose a new law requiring browser vendors to include an opt-out preference extension feature for users to elect not to have their data sold or shared. Currently the top browser vendors, which make up 90% of the browser market, do not offer opt-out signal extensions. The proposition aims to simplify privacy protections for consumers such that enabling the feature would constitute an opt-out to the sale or sharing of their data.
Recommendations for next steps
Although the regulations are in a nascent phase and subject to change (especially the ADMT and risk assessment regulations), we recommend staying ahead of the curve. As such, businesses should keep track of what information is being collected, what technologies are being used, and not neglect employee privacy. Since cybersecurity audits may be the first regulation to take effect, businesses should ensure they meet or exceed industry cybersecurity standards. The Agency is holding their next public meeting on Jan. 12. Information about the meeting can be found on the Agency's site at https://cppa.ca.gov/meetings.