CPPA eyeing broad scope in early discussions around data risk assessments


Businesses’ mishandling of consumer personal data has resulted in data breaches and an erosion of individuals’ rights, members of a California agency tasked with writing privacy risk assessment rules said.

The California Privacy Protection Agency (CPPA) met last week to consider its next batch of rulemaking under the California Consumer Privacy Act, which is set to include requirements for businesses handling the personal data of Californians to conduct risk assessments.

Still in draft form, the rules, along with those concerning cybersecurity audits and automated decision-making, are not expected to be finalized for at least a year. The CPPA previously released a batch of rulemaking that had its enforcement delayed until March 2024 following legal challenge.

The draft risk assessment regulations are designed to prohibit businesses from handling consumer data if uncontrolled risks—to the security and privacy of the consumer, the public, or the business—outweigh the benefits. Businesses must conduct risk assessments before collecting any personal data and show how they would mitigate any significant risks.

lock iconTHIS IS MEMBERS-ONLY CONTENT. To continue reading, choose one of the options below.