Companies Face 119 Pages of New Calif. Privacy Rules, But Some Say They're Too Light

The CPPA Board unanimously approved 119 pages of proposed rules Thursday on automated decision-making technology (ADMT), risk assessments, cybersecurity audits, insurance and updates to California Consumer Privacy Act (CCPA) regulations. Board approval allowed staff to submit the rulemaking package to the California Office of Administrative Law, which, in turn, will have 30 business days to decide if the rules may become final. Also at the meeting, the board agreed to collect additional comments on upcoming data-deletion rules (see 2507250017).

"These rules represent a significant shift in the privacy, security and artificial intelligence regulation landscape,” blogged Frankfurt Kurnit privacy attorney Andrew Folks. “While the final rules are less expansive than earlier drafts, businesses will need to operationalize several new obligations under the regulations," including to honor consumer requests to access and opt out of using ADMT, hold annual and independent cybersecurity audits and to conduct risk assessments "in a broad range of required scenarios, including when selling or sharing personal information."

The ADMT regulations may "omit the term AI, but make no mistake -- this is a heavy-duty AI regulation,” Goodwin privacy attorney Omer Tene said on LinkedIn. Applying only to automated decision-making used for significant decisions, the rules share DNA with AI governance laws like Colorado's, he said.

IAPP Cybersecurity Law Center Managing Director Jim Dempsey blogged that the CPPA rules expand on cybersecurity requirements in the CCPA statute, "establishing that a business's processing of consumers' personal information presents significant risk to consumers' security if: (1) the business derives 50% or more of its annual revenues from selling or sharing consumers' personal information, or (2) the business has annual gross revenues in excess of" about $2.6 million "and processed, in the preceding calendar year, the personal information of 250,000 or more consumers or households or the sensitive personal information of 50,000 or more consumers.”

"The rule … states that every business required to complete a cybersecurity audit must do so using a qualified, objective, independent professional using procedures and standards accepted in the profession of auditing,” added Dempsey. While there's no requirement for businesses to submit audit reports to the CPPA, "the agency and the state attorney general have [the] power to subpoena audit reports, including as part of an investigative sweep. Plus, it is likely that the audit reports will become the target of plaintiffs' discovery requests in the private class-action lawsuits that often follow announcement of a data breach."

Shook Hardy privacy attorney Josh Hansen said on LinkedIn that the new rules require some businesses, but not all subject to CCPA, to annually audit their cybersecurity programs. Audits must focus on “policies, procedures, and practices for protecting personal information from unauthorized processing,” he said. “While the deadline is a ways off," with large businesses not needing to certify their first audit by April 1, 2028, and smaller businesses getting one to two years more, "businesses will want to start preparing now because there is a lot here."

The rules could have been more onerous for industry, lawyers for businesses and consumer privacy advocates agreed.

Sidley Austin privacy attorney Sheri Porath Rockwell noted that the rules were "significantly scaled back" from an original draft of a few years ago. For example, the CPPA removed broad AI regulations amid threats of litigation and outcry from state legislators and Gov. Gavin Newsom (D). In addition, it removed previously expansive behavioral ad regulations and greatly narrowed the rules’ definition of ADMT, she posted on LinkedIn.

Consumer Watchdog tech and privacy advocate Justin Kloczko blogged that the rules don't reflect what Californians voted for when they approved the California Privacy Rights Act in 2020. "They voted for meaningful privacy protections that have not been watered down by large companies." That said, they "still give Californians more protections than most states," the advocate acknowledged.

The initially strong draft rules were weakened over time, said Kloczko. "Fears began to grow, starting with board member Alastair Mactaggart, who said the board was going statutorily too far and drafting regulations too burdensome on businesses. Unrelenting industry opposition and a letter from the governor and concerned legislators followed, causing the board to slash pro-consumer protections."

For example, said Kloczko, opt-out, “transparency and appeal rights for automated decisions now only pertain to what the board defines as 'significant decisions,' areas of financial lending, employment, housing, education, and healthcare,” he said. “But what the board considered 'significant decisions' was also narrowed, as it deleted insurance, criminal justice and essential goods from the scope of the law." Also, “the agency loosened consumer data protections surrounding behavioral targeted advertising” and “scrubbed” AI from the rules, he added.

The final package also disappointed Ridhi Shetty, a senior policy counsel at the Center for Democracy and Technology. "The CPPA has acceded to industry demands to limit the new ADMT rule’s protections to systems that have essentially no human review,” she said in an emailed statement. “Under the new rule, even rote human review that involves rubber-stamping ADMT outputs would likely allow companies to avoid accountability entirely.”

Added Shetty, “The CPPA knows this, having said in May that a mere 10% of California businesses would be subject to the rule thanks to its narrowed definitions.” Shetty continued, “That number is likely to dwindle as companies find ways around the rule. The agency has given industry a roadmap to avoid the protections it just spent years enacting.”