On August 29, 2023, the California Privacy Protection Agency (CPPA) posted discussion drafts of its forthcoming regulations on cybersecurity audits and risk assessments as part of the materials for its September 8, 2023, public board meeting. These draft regulations are expected to eventually become part of the CPPA’s second rulemaking package under the California Consumer Privacy Act (CCPA) since the CCPA’s amendment by the California Privacy Rights Act. The CPPA has not yet started its formal rulemaking process for cybersecurity audits and risk assessments, and it has made clear that these draft regulations are meant to facilitate CPPA Board discussion and public participation. Nevertheless, the obligations set forth in the draft rules are extensive and provide an initial window into the onerous new compliance requirements. Notable requirements put forth for discussion under the draft regulations include:
More detail about these requirements is provided below.
Risk Assessment Draft Regulations
Cybersecurity Audit Draft Regulations
These draft rules are the first iteration of the CPPA’s second CCPA rulemaking package, and they will likely undergo several rounds of revisions before being finalized. Notably, the CPPA is also considering rules on access and opt-out rights relating to automated decision-making technology as part of this second package, but it has not yet released a draft. The CPPA also has yet to specify a timeline for when these rules will be finalized or take effect.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA compliance efforts, please contact Tracy Shapiro, Maneesha Mithal, Eddie Holman, Madeline Cimino, Roger Li, or any member of the firm's privacy and cybersecurity practice.