California Privacy Regulator Approves Trimmed-Down Regulations

On May 1, the California Privacy Protection Agency ("CPPA") board (the "Board") met to discuss revisions to proposed regulations relating to cybersecurity audits, risk assessments, and automated decision-making technologies ("ADMTs").

The rulemaking process has been ongoing since 2023, when the CPPA invited public comment on the first version of the proposed regulations. The regulations have gone through a number of revisions since then, and after completing a public notice and comment period earlier this year, the Board met on April 4 and instructed the CPPA staff to narrow the scope of the regulations based on the comments received. On April 30, the CPPA staff released revised regulations significantly limited in scope.[1]

Board members had different opinions on the revised regulations: Alastair MacTaggart expressed concerns that the revised regulations were still overbroad, while Chairperson Jennifer Urban was concerned that they had been pared back "to the bone." Nonetheless, with minor changes, the Board voted to advance the final version of the revised regulations for another round of public comment. Although only required to provide 15 days for public comment, the Board extended the deadlineto June 2.

Summary of Major Changes

The CPPA made a number of substantial changes to the proposed regulations, many of which would narrow the scope of the rules. Specifically, the CPPA:

• Removed all references to "behavioral advertising." This dramatically limits the scope of the proposed regulations, which previously would have covered targeted advertising based on first-party data and required businesses to allow consumers to opt out of such advertising.
• Removed all references to "artificial intelligence." In the prior draft, training certain artificial intelligence systems could have triggered the risk assessment requirement. This change focuses the regulations on technologies that meet the revised definition of ADMT.
• ADMT
  • Limited the scope of covered ADMTs to those that make a "significant decision" concerning a consumer.
  • Limited the scope of covered ADMTs to include only technology that substantially "replaces" human decision-making, which means using "the technology's output to make a decision without human involvement." The prior version more broadly covered ADMTs that "facilitate" human decision-making, which would have included ADMTs that have human involvement.
  • Reduced the scope of "significant decisions," which is newly defined as decisions that result "in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services." The previous definition included "access" to such services and included other services, such as "insurance," "criminal justice," and "essential goods and services." Moreover, "significant decisions" now expressly excludes decisions that are related to "advertising to a consumer." 
• Risk Assessments
  • Limited the scope of profiling activities that trigger the risk assessment requirements. For example, the regulations no longer refer to "extensive profiling" of an individual. Instead, they require risk assessments when profiling through systematic observation of individuals who are acting in certain education or employment contexts, or based on the individual's presence in a sensitive location.
  • Limited the scope of ADMT training that triggers risk assessments. Processing personal information to train ADMTs will trigger a risk assessment only when the business intends to use ADMT for a "significant decision" or to train a facial recognition, emotion recognition, or other technology that verifies a consumer's identity or profiles a consumer. Under the previous version of the regulations, any use of personal data to train ADMT that could be used for those purposes, even if it was not intended for such use, would trigger the risk assessment.
  • Removed the requirement that businesses submit "abridged" risk assessments to the CPPA. However, the CPPA or Attorney General may require businesses to submit risk assessment reports at any time and within 30 days of a request.
  • Simplified the information that must be included in a risk assessment.
• Cybersecurity Audits
  • Introduced a three-tiered implementation schedule based on gross annual revenue. Businesses with gross annual revenue over $100M will need to complete their first audit by April 1, 2028; businesses with gross annual revenue between $50M-$100M will need to complete their first audit by April 1, 2029; and businesses with gross annual revenue less than $50M (but still subject to the CCPA's revenue or processing thresholds) will need to complete their first audit by April 1, 2030.
  • Removed all references to "zero trust architecture."
  • Clarified that businesses can use audits prepared for another purpose to satisfy the regulatory requirements.
  • Clarified the qualifications of the individual who must submit the annual compliance certification and the information that the certification must include.

Takeaways

Members of the public have until June 2 to comment on the most recently revised regulations. The Board indicated that after the close of this comment period, it could adopt a final draft of the regulations as early as July. DWT's Privacy & Security and AI Teams regularly advise clients on emerging requirements and will continue to monitor developments of California's proposed regulations.