CPPA Holds Meeting To Discuss Regulations For Automated … – Mondaq News Alerts

On July 14, the California Privacy Protection Agency (CPPA or
the “Board”) hosted a meeting to
discuss key issues. Notably, the Board’s New CPRA Rules
Subcommittee (“the Subcommittee”) previewed three areas
of forthcoming regulation: namely, automated decision-making
technology (ADMT), cybersecurity audits, and cybersecurity risk
assessments.

The Board’s discussion largely focused on the applicable
thresholds and boundaries that businesses will need to meet in
order to be subject to these regulations. The applicable thresholds
center on the type of processing that the business is engaged in
and the size of and resources available to the business —
thus, these thresholds would serve to minimize regulatory burdens
on small and medium-sized businesses.

As a next step, Chairperson Jennifer Urban suggested that the
Subcommittee prepare the actual language of the regulations so that
the Board will have the opportunity to comment and review.
Businesses should continue to pay close attention as these
proposals develop, as the results of these processes will likely
lead to additional compliance requirements in these areas of focus.
Looking ahead, businesses that would like to prepare in
anticipation of CPRA developments, can turn to other state privacy
law frameworks for guidance. For example, the Colorado Privacy Act
establishes a framework for businesses that engage in automated
decision-making. Under this framework, businesses must provide
consumers the opportunity to opt-out of profiling that is based in
automated processing, as well as follow certain procedures where a
consumer’s request to opt-out of human reviewed automated
processing is denied. Notably, the Board has previously requested
feedback on California’s potential adoption of Colorado’s
approach to cybersecurity regulation. The Colorado privacy law
mandates that companies conduct data protection assessments for
processing activities that present a heightened risk of harm. As
such, businesses looking for insight into the Board’s potential
approach to cybersecurity audits and assessments should turn to
Colorado’s compliance requirements.

We summarize the current proposal below and will continue to
track the development of these regulations on this blog. We are happy to answer any
questions that you may have about how the Board’s ongoing
regulatory efforts may affect your business.

Automated Decision-making Technology (ADMT)

As the first step to ADMT regulation, the Board is focusing on
developing the definition of ADMT, with the goal of broadening the
definition as much as possible. Under the current proposal, ADMT
would be defined as “any system, software, or
process—including one derived from machine-learning,
statistics, or other data processing or artificial intelligence
techniques—that processes personal information and uses
computation as whole or part of a system to make or execute a
decision or facilitate human decision making. ADMT includes
profiling” (emphasis added). Currently, the California
Consumer Privacy Act (CCPA) defines “profiling” as
“any form of automated processing of personal information …
to evaluate certain personal aspects relating to a natural person
and in particular to analyze or predict aspects concerning that
natural person’s performance at work, economic situation,
health, personal preferences, interests, reliability, behavior,
location, or movements.” Cal. Civ. Code § 1798.140(z).
However, it remains unclear whether the Subcommittee will adopt
this definition of profiling. Indeed, Chairperson Urban noted
during the meeting that this definition covers only a subset of
profiling.

Under the Subcommittee’s proposal, businesses that use ADMT
will have obligations only if they meet certain thresholds. To
determine applicability, businesses will need to ask:

• Is ADMT used in relation to decision making associated with the
  denial of services such as financial or lending services, housing,
  insurance, education enrollment or opportunity, criminal justice,
  employment or contracting opportunities or compensation, healthcare
  services, or access to essential goods, services, or
  opportunities?




• Is ADMT used to monitor or surveil employees or job
  applicants?




• Is ADMT used to track the behavior, location, movements, or
  actions of consumers in publicly accessible places?




• Does ADMT process personal information of consumers where there
  is actual knowledge that those consumers are less than 16 years of
  age?




• Is ADMT used to process personal information for the purpose of
  training ADMT models?

To the extent these questions apply, businesses may be subject
to ADMT regulation.

Cybersecurity Audits

The Board also discussed regulations regarding cybersecurity
audits. The Subcommittee noted that most privacy and data
protection laws do not require cybersecurity audits, but
highlighted several frameworks that it is considering as references
for potential regulation, such as the NIST Cybersecurity Framework
and NY DFS cybersecurity regulations. The Subcommittee is
contemplating how to make auditing feasible to businesses by
considering a number of thresholds. This is good news for small and
medium-sized businesses, because the thresholds currently proposed
are based on the size of the organization, on the resources
available to the business, and on how involved the business is with
consumer personal information. Potential thresholds include:

• Businesses primarily or significantly engaged in sale or
  sharing of personal information (e.g., data brokers).




• Larger businesses that potentially meet a particular revenue or
  processing threshold (e.g., annually processing the personal or
  sensitive information of a certain number of consumers or
  households or annually processing the personal information of a
  certain number of consumers less than 16 years of age.)

Risk Assessments

Finally, the Subcommittee discussed the obligations of
businesses associated with risk assessments. The Subcommittee’s
proposal included recommended and potential thresholds to determine
the applicability of regulations pertaining to the performance of
risk assessments.

Thresholds recommended for implementation included:

• Selling or sharing personal information.




• Processing sensitive personal information, except for employers
  processing sensitive personal information for limited employment
  purposes.




• Processing the personal information of consumers that the
  business has actual knowledge are less than 16 years of age.




• Using ADMT for decisions related to denial of services such as
  financial or lending services, housing, insurance, education
  enrollment or opportunity, criminal justice, employment or
  contracting opportunities or compensation, healthcare services, or
  access to essential goods, services, or opportunities.

Thresholds recommended for further discussion include:

• Processing the personal information of employees or job
  applicants;




• Processing the personal information of consumers in publicly
  accessible places through technologies that track consumers’
  behavior, location, movements, or actions; and




• Processing the personal information of consumers to train
  artificial intelligence.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.