In December, the California Privacy Protection Agency (CPPA) published revised draft regulations on risk assessments required under the California Privacy Rights Act (CPRA).
Under prior draft regulations, the CPPA will require every business whose processing of consumers’ personal information presents a significant risk to consumers’ privacy to conduct a risk assessment before starting that processing.1
The CPPA then listed the following processing activities that present a significant risk to consumers’ privacy:2
- Selling or sharing of personal information.
- Processing sensitive personal information, excluding the processing of sensitive personal information in the context of employee benefits.
- Using automated decision technology that results in a legal or significant effect on the consumer, involves profiling or involved profiling in the context of behavior advertising.
- Processing personal information of consumers under the age of 16.
In practice, once these regulations are finalized, privacy risk assessments will need to be conducted on many processing activities within an organization. Specifically, marketing activities that include profiling and selling or sharing of information, processes that collect precise geolocation data (i.e., sensitive data), applications that utilize artificial intelligence, and processing that involves minors’ data.
The four categories set forth above are not new. What is new is the timing and submission requirements for such risk assessments.
Specifically, the draft regulations describe that a business shall have 24 months from the effective date of the regulations to submit the risk assessment materials to the CCPA and then will have to resubmit the risk assessment annually thereafter.3 The submission will also need to include a certification of compliance provided by the “business’s highest-ranking executive who is responsible for oversight of the business’s risk assessment compliance”.4 The updated draft regulations also describe how an organization can submit an abridged form of the risk assessment.
Many of the CCPA proposed requirements are cumbersome and we will not be surprised if these requirements are pared back. That said, most of the emerging U.S. State Privacy Laws contain privacy impact assessment requirements and it is important that organizations are developing a scalable privacy impact assessment now.
In October, before the release of the CCPA’s revised risk assessment regulations, in partnership with Squire Patton Boggs, Ankura presented a webinar titled “Privacy Impact Assessment (PIA) Masterclass: U.S. State Privacy Impact Assessment Requirements and Implementation Strategy.” The webinar recording and presentation deck are included for convenient on-demand access.
Notes:
1. New Rules Subcommittee Revised Draft Risk Assessment Regulations. California Privacy Protection Agency. December 2023. https://cppa.ca.gov/meetings/materials/20231208_item2_draft_redline.pdf Retrieved: December 21. 2023.
2. Ibid. Page 4-5.
3. Ibid. Page 27-28.
4. Ibid. Page 28.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.