On 28 Aug., the California Privacy Protection Agency released its initial draft regulations for cybersecurity audits and risk assessments. The CPPA has not yet commenced its formal rulemaking process for these regulations, which will assuredly undergo several rounds of revision. Once finalized, businesses will be required to perform annual cybersecurity audits and regularly submit risk assessments to the CPPA regarding their processing of personal information. Businesses will undoubtedly be monitoring the future development and implementation of these regulations.
With cybersecurity incidents on the rise and front of mind for lawyers and board members – 43% of organizational leaders anticipate a cyberattack will materially affect their organization in the next two years – the cybersecurity audit regulations provide accountability mechanisms and create considerable compliance obligations for businesses. They require businesses to undergo annual independent audits to assess, document and summarize the components of their cybersecurity programs, focusing on any gaps or weaknesses. The draft regulations enumerate examples of "negative impacts" on consumers' security and safeguards businesses use to protect personal information that must be assessed in the context of the cybersecurity program.
Likewise, the risk assessment regulations focus heavily on privacy-related risks posed by artificial intelligence and automated decision-making technologies that are increasingly prevalent across many industries. As prescribed, risk assessments must be conducted and submitted whenever a business's personal information processing presents a significant risk to consumers' privacy or security. The draft regulations provide seven examples of activities falling within this purview, including "selling or sharing personal information," "processing sensitive personal information" and "processing the personal information of consumers" to train AI or automated decision-making technologies. The risk assessments would be comprised of 10 components, including a summary of the processing, categories of personal information to be processed, operational elements of the processing, purposes of the processing and more.
Before these requirements come into effect, however, the regulations must go through a California regulatory process that is lengthy, intensive and not without some uncertainty. The following provides an overview of the procedural steps that deserve the most attention and the CPPA's expected timelines for developing and finalizing regulations.
Statutory authorization
As an initial matter, any rulemaking must be authorized by statute. Authority for cybersecurity audits and risk assessment regulations derive from California Civil Code § 1798.185(a)(15)(A) and (B), respectively. All action by the CPPA must then derive from the authority given to it by the California legislature, through the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
Stakeholder input before rulemaking
Before the formal rulemaking process commences, the CPPA invites preliminary comments on proposed rulemaking. It then receives and processes public comments to inform its drafting of the proposed regulations. The California Administrative Procedure Act requires this step "to increase public participation and improve the quality of regulations." It does not impose deadlines for when this must occur. Generally, the CPPA seeks to engage with a broad swathe of stakeholders to ensure each new or amended rule under the CCPA, as amended by the CPRA, is thoroughly considered.
Next come the draft regulations, released by the CPPA only for board discussion and public participation. The draft regulations often resemble the final regulations. On 8 Sept., the board met to discuss the draft cybersecurity audit and risk assessment regulations, debating scope, applicability, timing and details required for performing audits and filing assessments, and the burden they impose on businesses, among other topics.
Initiating formal rulemaking
To initiate the formal rulemaking process, the CPPA must publish a notice of proposed action in the California Regulatory Notice Register. It must post that notice to its website, as well as "express terms" – or the text of the regulations – and an initial statement of reasons explaining why it is making the proposed changes. During the 8 Sept. meeting, the board stated its intention to release proposed regulations and commence formal rulemaking before its next meeting in December.
This notice commences a period lasting a minimum of 45 days, during which members of the public may submit comments. The CPPA is not required to hold a public hearing during this time, unless specifically requested by a member of the public, but typically does so unprompted. The CPPA must likewise respond to any oral comments made during the public hearing.
Responding to feedback
Processing these written and oral comments is typically the most labor-intensive portion of the rulemaking process for the CPPA. It must summarize and respond to each substantive comment made by the public in response to the proposed regulations. A substantive comment is any "objection or recommendation made regarding the specific adoption, amendment, or repeal proposed," according to California Government Code § 11346.9(2). It includes essentially any statement made by the commenter that does not simply support the regulations or provide background information to the comment.
The CPPA must summarize these substantive comments and respond in kind by accepting, accepting in part or rejecting each one. It must attach this dialogue in chart form as an appendix to a final statement of reasons explaining any changes to the proposed regulations. An index of commenters must accompany this chart for ease of navigation within the document, which can be several hundred pages long.
This process creates a substantial paper record within which public concerns are given due consideration, and the CPPA's official positions on the particulars of the regulations are developed with meticulous detail. Further, it can provide a source of useful authority in litigation involving the regulations.
Following this review and processing of public comments submitted during the 45-day period, the CPPA will be required to open a second comment period for a minimum of 15 days if it substantively modifies the proposed regulations. It must summarize and respond to comments received during this period in the same manner as during the 45-day period. If further changes are implemented in response to comments submitted during this 15-day period, another 15-day period must be opened so the public may once more have a say on the latest round of edits.
Agency submission and Office of Administrative Law review
After appropriately processing all public comments, the CPPA must compile and prepare its final rulemaking package, including the text of the final regulations, any outside materials relied upon in drafting the regulations, a final statement of reasons with attached appendices containing summaries and responses, and economic and fiscal impact statements.
Once the OAL receives the rulemaking package, it has 30 working days to review it for satisfaction with the California Administrative Procedure Act and OAL regulations. The OAL may communicate with an agency to resolve minor issues but may disapprove the rulemaking action entirely for larger problems. If approved, the OAL will issue a notice of approval, and the regulations will come into effect on that date, presuming the CPPA expressly requests the earliest possible effective date and the OAL grants that request.
However, following the Sacramento County Superior Court's decision to delay the effective date of the prior round of CPRA regulations, the effective date of other pending rules will also be 12 months from the date of finalization. The court determined that a 12-month period for future rules is in keeping with voter's intent to give effected businesses time to comply.
The invitation for public comment predating the CPRA regulations was approved 29 March and was first published 564 days prior, 22 Sept. 2021. The formal rulemaking process, from the notice register publication date, 8 July 2022, to OAL approval, lasted 244 days. At this pace, accounting for the requisite 12-month delay, the latest round of regulations would be finalized somewhere around 27 Aug. 2024 and come into effect 27 Aug. 2025. This is likely an overly simplistic calculation, of course, as the cybersecurity audit and risk-assessment regulations cover considerably less subject matter than the previous round of regulations, so developing this coming rulemaking package may not require the same amount of time as the CPRA regulations.
Nonetheless, practitioners concerned with the upcoming regulations can look forward to a lengthy and involved rulemaking process, with another opportunity to submit comments after the notice of proposed rulemaking expected in the coming months. Of course, one step behind these two rules is the expected rulemaking on automated decision making, the draft text of which has not yet been released, but will no doubt be worthy of much future discussion.