Earlier today the California Privacy Protection Agency (CPPA) held a public board meeting, where it discussed the draft regulations concerning cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT), and more. The meeting was incredibly substantive, and lasted nearly the entire day. Below are the top takeaways to start your weekend:
Cybersecurity Audit Regs Advance. The board agreed that the cybersecurity audit regs are in good shape, and motioned to direct staff to prepare the cybersecurity audit regs for advancement to formal rulemaking, with authorization to make additional changes. This means that the staff will put together required documentation (including an economic assessment) for review and approval by the board at (likely) the next board meeting. As part of this process, staff may use input they received from the board at today’s meeting (or elsewhere) to improve or clarify aspects of the cybersecurity reds. If the board votes to approve the cybersecurity regs for formal rulemaking at the next meeting, the regs will go to the 45 day public comment period to give the public opportunity to provide feedback on the regs. I expect these regs to be ready for the next board meeting, possibly in January.
Risk Assessment and ADMT Regs Go Back to Subcommittee. In contrast, the board agreed that the risk assessment and ADMT regs are not ready for formal rulemaking, and motioned to direct staff to prepare revised subcommittee drafts, taking into account feedback from board members. This is similar to what happened with the cybersecurity audit regs at the last board meeting. Notably, some board members voiced concern that the drafts may require several rounds of edits due to the scope of the remaining issues, and asked staff to connect with board members for further feedback before the next draft. Even if we see the next draft in January, I expect these regs will not be ready for some time.
Other Proposed Regs Advance. As part of its meeting agenda, the board also considered proposed insurance regs and slight changes to the CCPA V1 regs finalized earlier this year. Similar to its decision with the cybersecurity audit regs, the board motioned to direct staff to prepare both sets of regs for advancement to formal rulemaking, with authorization to make additional changes. I expect these regs to be ready for the next board meeting, possibly in January. With respect to the CCPA V1 regs, several board members pointed out that some of the language regarding consumers less than 16 should be revised to include an “actual knowledge” standard. Staff also discussed how it is monitoring developments in other jurisdictions to inform future proposed changes, including how Colorado is selecting compatible opt out preference signals (like GPC) and the how the EU is implementing financial incentive requirements similar to those found under CCPA. It will be interesting to see if California ultimately takes a similar approach to listing recognized preference signals.
Some Concerns Over Cybersecurity Audit Regs. During the cybersecurity regs discussion, some board members raised concerns that the requirement for a business to assess “psychological harm” to consumers as part of a cybersecurity audit is constitutionally risky, especially in light of the recent lawsuits against the AADC and AB587. Staff took this point under submission. In addition, some board members suggested that the regs expressly allow a GDPR-compliant cybersecurity audit to satisfy the California cybersecurity audit requirement. This point did not gain traction, with other board members arguing that California has the opportunity to improve deficiencies with GDPR audit requirements, and that California should set its own standards as most businesses have never conducted impact assessments on California employee data (especially since no other US comprehensive state privacy laws apply to employee data). Staff will consider potential paths to align requirements, but unfortunately it looks like businesses will once again need to address California-specific requirements.
Concerns around Scope of ADMT. The board spent considerable time discussing ADMT, including the scope of the definition and the opt out right. Several members voiced concern that ADMT is so broadly defined that it could cover all technology, even in the business-to-business setting. Board members also pointed out that the opt out could allow for consumers to opt out of any technology, which is not necessarily beneficial for consumers and does not promote privacy. Such broad definitions could burden the business with needing to explain, starting from a public presumption that ADMT is bad, why it used such software. Even a small business using software for payroll might need to prepare an impact assessment under the wording of the regulation. The board expressed that it was open to "wordsmithing" those definitions to an extent. Given the amount of pushback, I expect the next draft from the subcommittee to include reworked language around these concepts.
Concerns around ADMT in Employment. ADMT in the employment space was particularly hot topic. Board members generally agreed that employees should have the right to know about their employer’s use of ADMT in the workplace, but disagreed as to whether employees should have the right to opt out in all circumstances. Some board members argued that ADMT is necessary for certain employment related practices, such as monitoring truck drivers for safety while they are driving. Again, I expect this to be reworked in the next draft.
Behavioral Advertising is Within Scope. One thing all board members agreed upon is that consumers should have the right to opt out of profiling for behavioral advertising without exception. The staff clarified that it purposely used the term “behavioral advertising” and not “cross context behavioral advertising” (as defined in the statute) because the opt out needs to apply to all behavioral advertising. I’m not yet clear on the implications of this language, but I’m sure it will have an impact on the advertising ecosystem.
Alastair MacTaggart – Business Champion. Alastair MacTaggart, the original writer of the CCPA, surprisingly took a very business-friendly approach during the meeting. He pushed back on many of the proposed technical requirements, arguing that they will require a lot of work for businesses while not necessarily advancing the cause of privacy. Not surprisingly, he still took a strong position that behavioral advertising must be highly regulated.
Timeframe. We don’t yet know the timeframe for the next meeting, but I expect sometime in late January / early February. We will continue to monitor and post updates. Have a great weekend!