DATA RISK INTELLIGENCE    |    GDPR       |    WHITEPAPERS

Contact us Today!


Are You Ready? Proposed 2024 CCPA Regulatory Changes

proposed 2024 CCPA Regulatory Changes

As we approach 2024, California’s data privacy landscape is set to undergo significant changes with proposed amendments to the California Consumer Privacy Act (CCPA). The California Privacy Protection Agency (CPPA) has released drafts covering cybersecurity audits, Automated Decision-Making Technologies (ADMTs), and risk assessments. While the formal rulemaking process is yet to commence, businesses must proactively prepare for potential shifts in compliance requirements.

Assessing Current CCPA Applicability

Before delving into the new regulations, it’s crucial for businesses to confirm their status under the current CCPA. Organizations meeting any of the following conditions are subject to CCPA regulations:

  • Annual Gross Revenue: Over $25 million.
  • Personal Information Handling: 50,000 or more consumers, households, or devices for commercial purposes.
  • Revenue from Selling Personal Information: 50% or more of annual revenue.
  • Collects or Shares Personal Information: Operating in California, regardless of physical location.

Rights granted to California residents under CCPA include knowing what information is collected, the right to delete, and the right to opt-out of the sale of personal information.

Proposed Cybersecurity Audit Regulations

The September and December 2023 drafts introduce regulations focused on cybersecurity audits, emphasizing the need for businesses with significant risk to complete annual audits. Key aspects of the proposed regulations include:

  1. Definitions: Clear definitions for terms like Cybersecurity Audit, Cybersecurity Program, Information System, Multi-factor Authentication, Penetration Testing, Privileged Account, and Zero Trust Architecture.
  2. Service Providers and Contractors: Mandated cooperation in cybersecurity audits and compliance with CCPA requirements.
  3. Article 9: Cybersecurity Audits: Requirement for businesses with significant risk to conduct annual cybersecurity audits based on specified risk criteria.
  4. Timing Requirements: Initial audit within 24 months of regulations’ effective date, followed by annual audits.
  5. Thoroughness and Independence: Audits conducted by qualified, independent professionals, with detailed disclosure of scope, criteria, and evidence.
  6. Scope of Cybersecurity Audits: Assessment of cybersecurity program components, including authentication, encryption, and zero trust architecture.
  7. Notice of Compliance: Annual submission of written certification confirming compliance or detailing noncompliance and remediation plans.

See also Data Flow Analyzer, Data Discover, Vendor Inventory, and Data Privacy Audits.

Proposed Regulations on Automated Decision-Making Technology

The December 2023 drafts address regulations pertaining to the use of automated decision-making technology, focusing on protecting consumer rights related to access and opt-out mechanisms. Key provisions include:

  1. Definitions: Clarity on terms like Automated Decision-Making Technology, Decision Producing Legal Effects, and Profiling.
  2. Notice of Rights: Mandate for businesses to provide pre-use notices detailing the purpose, opt-out rights, and access information for automated decision-making technology.
  3. Requests to Opt-Out and Access Information: Granting consumers the right to opt-out and access information related to automated decision-making processes.
  4. Special Rules for Consumers Under 16: Introducing rules for consumers under 16, including processes for opting-in to profiling for behavioral advertising.

See also Implementing DNSS and Opt-Out Solutions

Key Changes Under New Rulemaking

The latest rulemaking expands definitions, enhances responsibilities for service providers and contractors, introduces detailed risk assessment requirements, and outlines regulations for automated decision-making technology. Notable aspects include:

  1. Expanding Definitions under § 7001: Inclusion of “artificial intelligence” and a comprehensive understanding of technologies falling under its purview.
  2. Service Providers and Contractors Responsibilities (§ 7050, § 7051(a)(6)): Enhanced obligations and compliance with all applicable CCPA sections.
  3. Risk Assessment Requirements (§ 7150 – § 7152): Detailed criteria for businesses engaging in significant risk activities.
  4. Automated Decision-Making Technology (§ 7153): Emphasis on transparency in explaining validity, reliability, and fairness.
  5. Processing Personal Information for Training (§ 7154): Documentation and communication of permissible uses for training AI.
  6. Balancing Risks and Benefits (§ 7155): Prohibiting processing if privacy risks outweigh benefits.
  7. Timing and Retention Rules (§ 7156 – § 7157): Provisions for timing, retention, and periodic review of risk assessments.
  8. Submission of Risk Assessments to the Agency (§ 7158): Specific timelines and exemptions for submitting risk assessments to the CPPA.

See also PIA and DPIA Automation Software

CPPA Board’s Browser Opt-Out Preference Signals Proposal

The CPPA Board’s legislative proposal, if adopted, will mandate browser vendors to incorporate opt-out preference signals, simplifying the opt-out process for users. Currently supported by less than 10% of browsers, this initiative aligns with the CCPA and addresses challenges posed by major browsers lacking native support for such signals.

In the face of evolving data privacy regulations, businesses must adopt a proactive stance, assess current CCPA applicability, and prepare for impending changes. The proposed regulations highlight the importance of robust cybersecurity measures, risk assessments, and transparency in automated decision-making processes. As California leads the way in privacy laws, businesses navigating these changes successfully will secure consumer trust and compliance in the dynamic regulatory landscape.

Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations, including the “Do Not Sell/Do Not Share My Personal Information” solution. Allow customers to submit, revoke and update granular consent with Clarip’s Universal Consent Management. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Articles:

Data Privacy and the Future of Digital Marketing
2023 US Privacy Law Tracker
Understanding US Data Privacy Law Fines
Evolution of digital consent and preferences
What Is GPC (Global Privacy Control), And why does it matter?

CONTACT

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

    •   888-252-5653