security

CPPA Holds Meeting To Discuss Regulations For Automated … – Mondaq News Alerts



To print this article, all you need is to be registered or login on Mondaq.com.

On July 14, the California Privacy Protection Agency (CPPA or
the “Board”) hosted a meeting to
discuss key issues. Notably, the Board’s New CPRA Rules
Subcommittee (“the Subcommittee”) previewed three areas
of forthcoming regulation: namely, automated decision-making
technology (ADMT), cybersecurity audits, and cybersecurity risk
assessments.

The Board’s discussion largely focused on the applicable
thresholds and boundaries that businesses will need to meet in
order to be subject to these regulations. The applicable thresholds
center on the type of processing that the business is engaged in
and the size of and resources available to the business —
thus, these thresholds would serve to minimize regulatory burdens
on small and medium-sized businesses.

As a next step, Chairperson Jennifer Urban suggested that the
Subcommittee prepare the actual language of the regulations so that
the Board will have the opportunity to comment and review.
Businesses should continue to pay close attention as these
proposals develop, as the results of these processes will likely
lead to additional compliance requirements in these areas of focus.
Looking ahead, businesses that would like to prepare in
anticipation of CPRA developments, can turn to other state privacy
law frameworks for guidance. For example, the Colorado Privacy Act
establishes a framework for businesses that engage in automated
decision-making. Under this framework, businesses must provide
consumers the opportunity to opt-out of profiling that is based in
automated processing, as well as follow certain procedures where a
consumer’s request to opt-out of human reviewed automated
processing is denied. Notably, the Board has previously requested
feedback on California’s potential adoption of Colorado’s
approach to cybersecurity regulation. The Colorado privacy law
mandates that companies conduct data protection assessments for
processing activities that present a heightened risk of harm. As
such, businesses looking for insight into the Board’s potential
approach to cybersecurity audits and assessments should turn to
Colorado’s compliance requirements.

Readers Also Like:  India’s Modi leaves Washington with host of defense, tech agreements in his wake - Breaking Defense

We summarize the current proposal below and will continue to
track the development of these regulations on this blog. We are happy to answer any
questions that you may have about how the Board’s ongoing
regulatory efforts may affect your business.

Automated Decision-making Technology (ADMT)

As the first step to ADMT regulation, the Board is focusing on
developing the definition of ADMT, with the goal of broadening the
definition as much as possible. Under the current proposal, ADMT
would be defined as “any system, software, or
process—including one derived from machine-learning,
statistics, or other data processing or artificial intelligence
techniques—that processes personal information and uses
computation as whole or part of a system to make or execute a
decision or facilitate human decision making. ADMT includes
profiling
” (emphasis added). Currently, the California
Consumer Privacy Act (CCPA) defines “profiling” as
“any form of automated processing of personal information …
to evaluate certain personal aspects relating to a natural person
and in particular to analyze or predict aspects concerning that
natural person’s performance at work, economic situation,
health, personal preferences, interests, reliability, behavior,
location, or movements.” Cal. Civ. Code § 1798.140(z).
However, it remains unclear whether the Subcommittee will adopt
this definition of profiling. Indeed, Chairperson Urban noted
during the meeting that this definition covers only a subset of
profiling.

Under the Subcommittee’s proposal, businesses that use ADMT
will have obligations only if they meet certain thresholds. To
determine applicability, businesses will need to ask:

  • Is ADMT used in relation to decision making associated with the
    denial of services such as financial or lending services, housing,
    insurance, education enrollment or opportunity, criminal justice,
    employment or contracting opportunities or compensation, healthcare
    services, or access to essential goods, services, or
    opportunities?

  • Is ADMT used to monitor or surveil employees or job
    applicants?

  • Is ADMT used to track the behavior, location, movements, or
    actions of consumers in publicly accessible places?

  • Does ADMT process personal information of consumers where there
    is actual knowledge that those consumers are less than 16 years of
    age?

  • Is ADMT used to process personal information for the purpose of
    training ADMT models?

To the extent these questions apply, businesses may be subject
to ADMT regulation.

Cybersecurity Audits

The Board also discussed regulations regarding cybersecurity
audits. The Subcommittee noted that most privacy and data
protection laws do not require cybersecurity audits, but
highlighted several frameworks that it is considering as references
for potential regulation, such as the NIST Cybersecurity Framework
and NY DFS cybersecurity regulations. The Subcommittee is
contemplating how to make auditing feasible to businesses by
considering a number of thresholds. This is good news for small and
medium-sized businesses, because the thresholds currently proposed
are based on the size of the organization, on the resources
available to the business, and on how involved the business is with
consumer personal information. Potential thresholds include:

  • Businesses primarily or significantly engaged in sale or
    sharing of personal information (e.g., data brokers).

  • Larger businesses that potentially meet a particular revenue or
    processing threshold (e.g., annually processing the personal or
    sensitive information of a certain number of consumers or
    households or annually processing the personal information of a
    certain number of consumers less than 16 years of age.)

Risk Assessments

Finally, the Subcommittee discussed the obligations of
businesses associated with risk assessments. The Subcommittee’s
proposal included recommended and potential thresholds to determine
the applicability of regulations pertaining to the performance of
risk assessments.

Thresholds recommended for implementation included:

  • Selling or sharing personal information.

  • Processing sensitive personal information, except for employers
    processing sensitive personal information for limited employment
    purposes.

  • Processing the personal information of consumers that the
    business has actual knowledge are less than 16 years of age.

  • Using ADMT for decisions related to denial of services such as
    financial or lending services, housing, insurance, education
    enrollment or opportunity, criminal justice, employment or
    contracting opportunities or compensation, healthcare services, or
    access to essential goods, services, or opportunities.

Thresholds recommended for further discussion include:

  • Processing the personal information of employees or job
    applicants;

  • Processing the personal information of consumers in publicly
    accessible places through technologies that track consumers’
    behavior, location, movements, or actions; and

  • Processing the personal information of consumers to train
    artificial intelligence.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Generative AI And Copyright Issues

Akin Gump Strauss Hauer & Feld LLP

The recent expansion of the scope and capabilities of generative artificial intelligence (AI) tools and platforms has introduced a number of legal challenges.

Upcoming SEC Open Meeting On Cyber (And More)

Mayer Brown

The Securities and Exchange Commission announced an open meeting to be held on July 26, 2023. The agenda includes consideration of the final amendments to the rules…



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.