CPPA seeking comment on cybersecurity audit, risk assessment rule adds

The rules are part of a package of regulations the CPPA is drafting to implement the California Privacy Rights Act (CPRA), an update to the state’s sweeping 2018 data privacy law, the California Consumer Privacy Act (CCPA).

The CCPA grants comprehensive privacy rights to California customers of large businesses and employees who are residents of the state. The CPRA took effect Jan. 1; the CPPA is drafting the rules to implement it, which it expects to finalize by July 1 or later.

The CPRA mandated the agency write cybersecurity audit and risk assessment rules for businesses whose processing of consumer personal data presents “significant risk to consumers’ privacy or security,” according to the CPPA’s request for comments published Friday.

The agency also will write rules concerning use of automated decision-making technology by businesses regarding consumers’ opt-out rights and their access to data.

The CPPA posted more than five pages of questions on the topics and is seeking feedback until March 27.

In deciding which businesses must conduct cybersecurity audits, the agency will consider “the size and complexity of the business and the nature and scope of processing activities.”

The annual audits must include a definition of the scope of the audit and be independent, the agency said.

Among other questions, the CPPA asked what additional cybersecurity audits, assessments, or evaluations it should consider adding to its regulations.

“What gaps or weaknesses exist in businesses’ or organizations’ completion of or compliance processes with these cybersecurity audits, assessments, evaluations, or best practices?” the agency questioned. “What is the impact of these gaps or weaknesses on consumers?”

Risk assessments must be submitted to the agency on a “regular basis” and show whether the company’s processing of personal data includes sensitive information, such as Social Security numbers and precise geolocation data. The assessments must weigh the benefits to the business, consumers, stakeholders, and public of processing the data against the potential risk to consumers, the CPPA said. The goal of the businesses should be to reduce or prohibit the procedures that place consumer personal data at risk, the agency said.

The rules pertain to companies with annual gross revenue of $25 million or more. The agency is seeking comments about compliance considerations for risk assessments for businesses that make less than $25 million in annual gross revenue.