CCPA’s Draft Assessment Regulation: Preparing your business for compliance

dahlia, flower, vase-8227880.jpgINTRODUCTION

In a significant development, the California Privacy Protection Agency (CPPA) recently unveiled a trove of crucial materials on August 28, 2023, laying the groundwork for its upcoming board meeting scheduled for September 8, 2023. Among these materials are two pivotal documents that have garnered substantial attention within the privacy sphere: the draft Cybersecurity Audit Regulation and the draft Risk Assessment Regulation

 

These regulations, though currently in the early stages of discussion, are poised to become integral components of the CPPA’s second rulemaking package under the California Consumer Privacy Act (CCPA) since the landmark amendment introduced by the California Privacy Rights Act

 

Despite their preliminary nature, the draft rules reveal a comprehensive set of obligations, providing a first glimpse into the potentially rigorous compliance requirements that lie ahead. 

This article delves deeper into the extensive obligations and potential impact on businesses outlined in the risk assessment regulation, providing a first look at the rigorous compliance requirements that lie ahead.

 

BUSINESSES OBLIGATED TO CONDUCT RISK ASSESSMENTS 

§7150 lays forth that a business should conduct a risk assessment when it engages in certain activities that could potentially harm consumers’ privacy. 

 

These activities include:

  1. Selling or sharing personal information.
  2. Handling sensitive personal information (with some exceptions for employee-related purposes).
  3. Using automated decision-making technology for crucial decisions like financial services, housing, insurance, education, etc.
  4. Dealing with personal information of individuals under 16 years of age.
  5. Monitoring employees, contractors, job applicants, or students using various tracking technologies.
  6. Using technology to observe and track consumers in public places.
  7. Using personal information to train artificial intelligence or automated decision-making systems.

Additionally, §7151 mandates comprehensive Stakeholder Involvement in Risk Assessments. This includes engaging all relevant personnel within the organisation (e.g., product, fraud prevention, compliance teams) to provide complete and accurate information for the assessment. Additionally, external parties, like service providers, experts in bias detection, or select consumers, may be involved in risk identification and mitigation.

 

RISK ASSESSMENT REQUIREMENTS 

§7152 of the Risk Assessment Regulation lays down some Risk Assessment Requirements every business should consider:

 

  1. Summary of Processing: Provide a concise summary of the processing activities that pose significant risks to consumers’ privacy. Describe how personal information will be collected, used, disclosed, and retained.
  2. Personal Information Categories: Specify the categories of personal information to be processed and indicate if sensitive personal information is included.
  3. Context of Processing: Explain the relationship between the business and the consumers whose personal information will be processed.
  4. Consumer Expectations: Describe consumers’ reasonable expectations regarding the purpose of processing or its compatibility with the context of data collection. If obtaining consent, explain how it complies with regulations.
  5. Operational Details: Detail the business’s planned methods for processing personal information, including sources, data minimization compliance, retention periods, approximate consumer numbers, technology used, and third-party involvement.
  6. Purpose of Processing: Clearly state the specific reasons for processing personal information, avoiding generic terms like “improving services” or “security purposes.”
  7. Benefits of Processing: Identify and specify the benefits to the business, consumers, other stakeholders, and the public resulting from the processing.
  8. Negative Impacts: Identify and describe the negative impacts on consumers’ privacy, including their sources, magnitude, and likelihood. Explain how these determinations were made: Constitutional Harms; Security Impacts; Discrimination Harms; Impairing Consumer Control; Coercion or Compulsion; Exploiting Vulnerabilities; Economic Harms; Physical Harms; Reputational Harms; and Psychological Harms
  9. Safeguards: Outline the safeguards the business plans to implement to address the negative impacts identified in (8). Explain how these safeguards specifically mitigate these impacts, address residual risks, and maintain awareness of emerging risks: Safeguards to Protect Personal Information; Privacy-Enhancing Technologies; Restrictions on Processing; and Deidentification or Aggregation of Personal Information
  10. Impact Assessment: Assess whether the negative impacts identified in (8), after applying the safeguards from (9), outweigh the benefits identified in (7). Provide specific reasoning for this determination, considering the impact of safeguards on this assessment.

ADDITIONAL REQUIREMENTS FOR BUSINESSES USING ADM TECHNOLOGY

§7153 places Additional Requirements for Businesses Using Automated Decision-Making Technology which are as follows:

 

  1. Purpose and Benefits: Clearly explain why your business is using Automated Decision-Making Technology and outline the benefits it offers over manual processing.
  2. Data Transparency: Provide a plain language explanation of the personal information processed by the technology, including data sources and how it’s used to train the system.
  3. Output Utilization: Describe the outputs generated by the technology and how your business intends to use them, ensuring transparency in decision-making processes like employee compensation.
  4. Data Quality Assurance: Detail the steps taken to maintain the quality of personal information, including data completeness, accuracy, and steps to mitigate discrimination risks.
  5. Logic and Assumptions: Explain the logic behind the technology’s decision-making process, including any underlying assumptions.
  6. Validity, Reliability, and Fairness: Discuss how your business evaluates the technology for validity, reliability, and fairness, including the metrics used and why they are appropriate.
  7. Third-Party Components: If using components from external providers, disclose their names and explain how they do not compromise the technology’s integrity.
  8. Human Involvement: Clarify the degree of human involvement, identifying responsible individuals, their qualifications, and their role in evaluating the technology’s appropriateness.
  9. Influence and Calibration: Explain whether humans have the authority to influence the technology’s use and how this authority is exercised.
  10. Safeguards: Outline any safeguards your business plans to implement to address privacy risks specific to your use of Automated Decision-Making Technology or the data it produces.

Apart from this, §7154 places additional requirements for Businesses that process personal information to train AI or ADM Technology in a 2-fold manner:

 

Explaining Appropriate Use:

 

  • If your business processes personal information to train AI or Automated Decision-Making Technology and shares it with others for their use, you must provide a clear, plain language explanation of the appropriate purposes for which these individuals or entities can utilize your technology.
  • Document how you provide this information in your risk assessment and outline any safeguards you have implemented or plan to implement to ensure that the technology is used for the intended and appropriate purposes       
Supporting Recipient-Business Risk Assessment 
  • If your business shares AI or technology with other businesses (recipient-businesses) for specific processing activities, you must provide all necessary facts and information to enable these recipient-businesses to conduct their own risk assessments.
  • Include details on how you have shared this essential information in your risk assessment documentation.

§7155 mandates that personal information shall not be processed for activities if privacy risks outweigh benefits for consumers, the business, stakeholders, and the public. Additionally, §7156 lays forth the Timing and Retention Requirements for Risk Assessments as follows:

 

  1. Initial Risk Assessment: Before commencing any processing activity outlined in section 7150, subsection (b), businesses must conduct and document a risk assessment in accordance with the stipulations of this Article.
  2. Regular Updates: Risk assessments are not one-time tasks. Businesses should review and update their assessments at least once every three years to ensure they remain accurate and reflective of the evolving landscape.
  3. Material Changes: Whenever a material change occurs in the processing activity, businesses must promptly update their risk assessment. Material changes encompass alterations in the purpose of processing, deviations from consumers’ reasonable expectations, modifications to data elements, operational adjustments, and changes in benefits, negative impacts, safeguards, and more.
  4. Retention Requirements: Businesses are required to retain all versions of risk assessments, including those revised due to material changes, for the duration of processing and at least five years after the completion of the risk assessment or the conclusion of processing, whichever is later.
  5. Transitioning Activities: For processing activities initiated before the effective date of these regulations and continuing afterward, businesses must conduct and document a risk assessment in accordance with the regulations within 24 months of the effective date.

However, to ease the compliance requirements for businesses where risk assessment is for a comparable set of processing activities or in compliance with other laws, the Draft Regulation provides some aid under §7157.

 

  1. Businesses often engage in multiple processing activities, each with its unique set of risks. However, they can simplify the process by conducting a single risk assessment for a comparable set of processing activities. A “comparable set” refers to similar processing activities that pose similar privacy risks to consumers.
  2. If your business has already conducted a risk assessment to comply with another law or regulation and it meets the requirements of this Article, you do not need to duplicate the effort. Simply explain in an addendum how your existing assessment aligns with this Article’s requirements. However, if it falls short, supplement it with the necessary information to ensure full compliance.

To maintain transparency and accountability, businesses must be prepared to share their risk assessments with the Agency or the Attorney General upon request. 

 

Additionally, an annual requirement mandates businesses to submit an abridged version of their risk assessments and a certification of compliance with the Article’s requirements by a designated executive. 

 

While these drafts are preliminary in nature, they offer an early glimpse into the Agency’s preliminary thinking on these important and emerging regulatory matters. In essence, the drafts suggest that the Agency is inclined towards establishing substantial responsibilities for businesses under these regulations.

Author: Kosha Doshi, Intern Data Privacy and Digital Law EU Digital Partners