The California Office of Administrative Law recently approved the final California Consumer Privacy Act regulations on cybersecurity audits, risk assessments, and automated decision-making technology. These regulations represent a sea of change in U.S. privacy regulation in several respects. Perhaps most notably, the regulations impose a variety of obligations for businesses to designate certain individuals who are responsible for the business’s privacy, artificial intelligence, and cybersecurity practices. These individuals must also submit, under penalty of perjury, certain filings to the California Privacy Protection Agency. This personal aspect of the regulations will require companies to carefully consider which individuals to designate for these roles and how to ensure sufficient organizational support so that they can properly perform their designated roles.
The new CCPA regulations will apply in phases over the next few years. Starting on 1 Jan. 2026, businesses will need to start performing risk assessments for new processing that presents significant risk to privacy or materially changes such existing processing activities. Businesses will need to comply with the ADMT requirements on pre-use notice, opt-out choice, and access by 1 Jan. 2027. Additionally, beginning 1 Jan. 2027, many businesses will enter the initial period subject to mandatory cybersecurity audits. Initial filings with CalPrivacy for certain risk assessments and cybersecurity audits are due no later than 1 April 2028.
What are the qualifications and obligations for individuals submitting filings with CalPrivacy?
In order to be qualified to submit the risk assessments to CalPrivacy, an individual must be a member of the business’s executive management team and be directly responsible for the business’s risk-assessment compliance. The individual must also have sufficient knowledge of the business’s risk assessment to provide accurate information and have the authority to submit the risk assessment to CalPrivacy. The regulations also require the designated individual to submit a specific attestation and provide their name, title, phone, email address.
In general, the qualifications to submit the risk assessments appear to limit the pool of possible individuals, given that executive management teams typically include a dozen individuals or fewer. Moreover, the consequences for the individual are potentially significant as the attestation is a declaration that the risk assessment information is true and correct and is subject to a penalty of perjury under the laws of the state of California. Businesses will need to engage in thoughtful decision-making as to who is qualified and should be making these submissions on behalf of the company. Businesses may also evaluate other related aspects, such as whether to require sub-certifications from different functional or business managers covering their respective domains to support the executive attestations, e.g., similar to the sub-certification process typically involved in certifications of financial statements.
A qualified individual to submit the cybersecurity audit to CalPrivacy must be a member of the business’s executive management team and be directly responsible for the business’s cybersecurity-audit compliance. The individual must have sufficient knowledge of the audit to provide accurate information and have the authority to submit the certification. The regulations also require the individual to provide their name, title, phone number, and email address, along with a specific attestation.
The potential range of individuals who could submit the cybersecurity audits to CalPrivacy appears to be even more limited than those who could submit the risk assessment. Among other points, if the company decides to internally perform the independent audit — an alternative to external audit under the regulations — the internal auditor must report to a member of the business’s executive management team who does not have direct responsibility for the business’s cybersecurity program. As such, it could not be the company’s chief information security officer who submits the report but would rather need to be another member of the executive management team who is responsible for cybersecurity-audit compliance.
Moreover, the substance of the declaration is more detailed than the requirements for risk assessments, as the submitter must attest that the certification is “true and correct” as well as that the business “has not made any attempt to influence the auditor’s decisions or assessments.” Given that the auditor is obligated to rely on specific evidence, including interviews with company personnel, the submitter may benefit from sub-certifications from different individuals or functional/business managers that participated in this audit to help confirm no potential undue influence as well as accuracy and completeness.
What other individuals are designated in connection with the risk assessments?
Risk assessments must identify individuals in three categories. First, all risk assessments must include the date the assessment was reviewed and approved and the names and positions of the individuals who reviewed or approved the assessment. Second, any individual whose duties include participating in the processing that is the subject of the risk assessment must review and approve the assessment. And third, the risk assessment must include the names of the individuals who provided information for the risk assessment, with the except for legal counsel who provided legal advice.
In general, businesses will need to make some thoughtful, risk-based decisions about which individuals should be included in the second and third categories, with a view to addressing the overall purpose of assuring that the risk assessments are true and correct.
What other individuals are designated in connection with cyber audits?
For cybersecurity audits, the regulations require that the report include the title of up to three individuals responsible for the business’s cybersecurity program. The audit report must also include the auditor’s name, affiliation, and relevant qualifications. In addition, the highest-ranking auditor must sign and date a statement certifying that they completed an independent review, exercised objective and impartial judgment, and did not rely primarily on assertions made by company management.
Key issues companies need to address to get ready for ‘personal’ requirements under the new CCPA regulations
The challenges businesses face under these new CCPA regulations are extraordinary. This is due to the breadth and depth of the due diligence and documentation required, as well as the procedural complexity introduced when designated individuals must consider their own personal accountability — beyond simply helping the company manage its risks. Key issues that businesses should address include the following:
Should cybersecurity audits be performed internally or externally? External audits could be more expensive and challenging to complete. However, they may lessen the complexity associated with internal audits, such as ensuring the auditor is free from “undue influence” by the business and navigating the procedural issues of having the auditor report to an executive business team member who is not responsible for cybersecurity.
Who should submit cybersecurity audit reports to CalPrivacy? The answer here may depend on the response to the prior question, but the limitation that the individual must be a member of the executive management team could significantly narrow the options.
Who should submit risk assessments to CalPrivacy? As per the prior question, the limitation that the individual must be a member of the executive management team could narrow the range of options.
Should we implement sub-certifications to support the risk assessments or cyber audit reports? Given the obligations for the submitters of these reports to attest that the submissions are “true” and “correct” and other features, it would be logical to consider whether or how to structure formal or informal sub-certifications to provide greater confidence for these submissions.
How to determine who should be included in risk assessments as having participated in the due diligence and/or the decision-making process? Although there is no one-size-fits-all answer for this question, each company should start by examining their current decision-making processes and governance structure and work to identify a consistent and repeatable basis for identifying the individuals for inclusion in the assessment with a view to addressing the overall purpose of assuring the risk assessments are true and correct.
Should D&O liability insurance be updated? Directors and officers can help to manage risks for individuals and the company in the context of professional liability claims. Having such updated D&O liability insurance and confirming its application to at least the individuals that are submitting filings to the agency in this context could help such individuals gain greater assurance of coverage for any good faith errors or omissions in the filings and related activities.
What does the road ahead look like?
To address these new CCPA regulations, businesses will need to dedicate more up-front resources to proactive privacy, cyber, and AI compliance. The provisions on individual accountability and responsibility may complicate efforts as companies will need to think about who should be included in the due diligence and who should be making the filings. Although there are staggered lead times before the new regulations become effective, every business should start now to evaluate the types of questions and issues identified above.
Brian Hengesbaugh, CIPP/US, is global chair of data and cyber practice, and Cristina Messerschmidt is senior associate at Baker McKenzie.
