Privacy & Information Security Law Blog

The California Privacy Protection Agency (“CPPA”) recently released modified draft California Consumer Privacy Act regulations (“CCPA Regs.”) in response to public feedback, with a focus on the sections addressing cybersecurity audits, risk assessments, automated decisionmaking technology (“ADMT”) and sensitive data.

Cybersecurity Audits

New Definition of “Cybersecurity Audit Report”: The updated CCPA Regs. adds a definition of “cybersecurity audit report,” clarifying that the term refers to the specific documentation required as part of a business’s annual cybersecurity audit required under Article 9 of the CCPA Regs. (CCPA Regs. Sect. 7001(n)).

Expanded Scope of “Information Systems”: The definition of “information system” was revised to explicitly include service providers’ or contractors’ systems used on behalf of the business. This ensures businesses account for third-party environments when assessing cybersecurity risk. (CCPA Regs. Sect. 7001(w)).

Deadline-Specific Requirements for First Cybersecurity Audit: The updated CCPA Regs. include deadlines by which a business must complete its first cybersecurity audit, which is dependent upon when a business determines its processing activities present significant risk to consumers’ security. (CCPA Regs. Sect. 7121(a)).

Scope and Documentation of Cybersecurity Audits: The updated CCPA Regs. clarify that auditors may include recommendations “separate from articulating audit findings,” helping delineate reporting expectations. (CCPA Regs. Sect. 7122(a)(1)). The Regs. also include examples of what how a cybersecurity audit report must describe the audit’s scope (e.g., the processes, activities and components of the information system assessed), and extend the requirement to retain documents to both the business and the business’s auditor. (CCPA Regs. Sects. 7122(d), (j)).

Risk Assessments: Updates to Roles, Disclosures and Safeguards

Responsible Personnel and Decisionmakers: The updated CCPA Regs. now require that risk assessments identify not only the individuals who reviewed or approved the assessment but also the individual with the authority to determine whether the business will proceed with the associated data processing activity. (CCPA Regs. Sect. 7152(a)(9)).

Timing for Risk Assessments: The updated CCPA Regs. establish a calendar deadline for conducting risk assessments for data processing activities that began prior to the updated regulations’ effective date but continue afterward. (CCPA Regs. Sect. 7155(c)).

Automated Decisionmaking Technology (“ADMT”)

Consumer Rights and Business Obligations: The updated CCPA Regs. specify that, upon a consumer’s opt-out request, businesses must notify service providers and contractors of the specific ADMT use for which the consumer opted out. (CCPA Regs. Sect. 7221(n)(2)).

Removed Requirement to Document “Quality of Personal Information” in ADMT Risk Assessments: The CPPA removed a provision that would have required businesses to assess and document the quality of personal information (e.g., the accuracy, reliability and consistency of the information) used in ADMT or artificial intelligence (“AI”) systems. (CCPA Regs. Sect. 7152(a)(2)(B)).

Expanded Definitions of Sensitive Data Categories

Addition of “Neural Data”: The definition of “sensitive personal information” was revised to include “neural data,” aligning with other states’ emerging concerns around brain-computer interface technologies. (CCPA Regs. Sect. 7001(ddd)).

Exemption for Non-Identifiable Physical/Biological Traits: The CPPA added an exception to the definition of “physical or biological identification or profiling,” excluding traits that cannot be linked to a specific consumer. (CCPA Regs. Sect. 7001(hh)).

Notice at Collection – AR/VR and Device-Based Interactions

Timing Flexibility for Notice in New Environments: The updated CCPA Regs. allow businesses to provide notice either before or “at the time” a device begins collecting personal information that the business sells or shares. (CCPA Regs. Sects. 7013(e)(3)(C), (D). This change accommodates more dynamic and immersive tech environments.

Enforcement and Simplification Measures

Removed Requirements for Agency Complaint Information: The CPPA removed the obligation to inform consumers about their ability to file complaints with the CPPA or Attorney General.

Deleted Redundancies and Technical Burdens: Several provisions were struck to streamline requirements, including § 7023(f)(3), which previously required businesses to notify others that a consumer contests certain personal data accuracy claims.

Businesses subject to the CCPA should review these changes carefully, ensure internal alignment with new deadlines and definitions, and prepare for continued rulemaking as the CPPA moves toward finalizing these updates.