On September 8, the CPPA held a board meeting, where it walked through subcommittee draft regulations regarding cybersecurity audits and risk assessments. Below are some quick takeaways from the meeting regarding the draft regs:


  • The CPPA clarified that it has not started the formal rulemaking process (which requires formal comment and response periods). The goal of this board meeting was for the subcommittee to consider feedback from the CPPA and come back with revised drafts at the next meeting. The CPPA acknowledged that this informal rulemaking process could take several meetings – it is unlikely any of the regulations will enter formal rulemaking at the next meeting.
  • The subcommittee is actively drafting automated-decision making regs, but those were not ready in time for this board meeting. Those should be ready by the next board meeting.
  • The draft regs could be approved at different times. For example, the cybersecurity audit regs might be ready at the next board meeting, but the risk assessment and automated-decision making regs might not be ready until later.

Cybersecurity Audits

  • Board members spent the majority of their time on cybersecurity audits discussing the applicability threshold. Board members acknowledged that the threshold issue is particularly important because the requirement to conduct cybersecurity audits is not found under any other comprehensive state privacy law (including Colorado), and may be difficult for companies to address. Some board members (like Alastair MacTaggart) felt that the cybersecurity audit requirement should apply to all businesses, and be rolled out through timing thresholds.

Risk Assessments

  • AI and automated-decision making were a key focus of discussion. Some board members expressed concern around the broad definition of “AI” (which was inspired by the NIST standard). There was also concern that these regulations could overlap with the forthcoming automated-decision making regs (which will address the opt-out right). 
  • Board members referenced the Colorado regs multiple times. The CPPA clearly has been inspired by the Colorado regs in drafting the California regs.
  • Risk assessments are meant to tie into the reasonable expectation test obligations under Section 7002 of the regs.
  • There was discussion that risk assessments should align with GDPR and Colorado requirements, and companies should be able to use risk assessments conducted under those regimes to comply with California law. Some board members voiced concern that very technical obligations (such as requiring a business to name individuals involved in a risk assessment) could undermine those efforts.