Privacy by Vote
California Privacy Ballot Initiative Instructs Regulator to Issue Regulations Imposing Cybersecurity Audit and Risk Assessment Requirements
Fall 2020 has arrived and that means several things, even in the current pandemic: college football is back on Saturdays, pumpkin spice coffee is back on the menu in your favorite coffee shop, retail stores are stocked with Halloween candy and costumes, and with election day on November 3rd, politics dominates the daily news cycle. If you are a registered voter in California or a business subject to the California Consumer Privacy Act (CCPA), privacy is also now part of your Fall schedule. The California Privacy Rights and Enforcement Act of 2020 (CPRA or CCPA 2.0) will be on the ballot on November 3rd as Proposition 24. If approved by California voters, the CPRA will amend the CCPA to provide new consumer privacy rights and impose a number of new requirements on businesses that process the personal information (PI) of California residents.
The CPRA, among other things, instructs the California Attorney General (AG) or the new California Privacy Protection Agency (DPA) to promulgate a number of new regulations by July 1, 2022 to address specific privacy issues. The authority assigned to the AG to adopt regulations under the CCPA or CPRA will transfer to the DPA beginning the later of July 1, 2021 or six months after the DPA provides notice to the AG that it is prepared to assume rulemaking responsibilities under the CPRA. Even before this transition of rulemaking power, businesses subject to the CCPA may wish to review two of the future regulatory mandates included in the CPRA as both will impose substantive new requirements on certain businesses.
Privacy Risk Assessments
The CPRA moves the CCPA closer to the European Union’s General Data Protection Regulation (GDPR). One of the ways it moves this needle is through a new risk assessment requirement similar to the data protection impact assessments (DPIAs) required under the GDPR. The CPRA creates a new category of processing, the “processing of consumers’ personal information [that] presents significant risk to consumers' privacy or security” (at risk processing). Some of the factors that may be considered in determining when processing may result in such risk are the size and complexity of the business and the nature and scope of the processing activities.
The CPRA instructs the regulator to issue regulations requiring businesses engaged in at risk processing to submit, on a regular basis, a risk assessment addressing their processing of PI. These risk assessments would be submitted to the DPA and must address the following areas:
- Identify whether the processing by the business involves sensitive PI; and
- Identify and weigh the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing.
The goal of the latter requirement is to restrict or prohibit such processing if the risks to privacy of the consumer outweigh the benefits to the consumer, the business, other stakeholders, and the public. This presumably means that the DPA will be able to instruct businesses to restrict or cease processing based on the results of their risk assessments.
The CPRA instructs the regulator to issue regulations requiring any business that engages in at risk processing to perform an annual cybersecurity audit. The regulations would define the scope of the required audits and establish a process to ensure that such audits are thorough and independent. It remains to be seen whether existing cybersecurity control frameworks will be considered “thorough” enough under the final regulations.
Financial services companies that maintain financial account information and other businesses that process sensitive PI may find themselves subject to this new annual cybersecurity audit requirement. Although some companies already conduct annual cybersecurity audits, many companies will need to prepare for and budget for these new required audits. Unlike the required risk assessments, the CPRA does not require that cybersecurity audit reports be submitted to the DPA.
Planning for Changes
“Privacy by design” remains an important approach to protecting PI through technology design. The ballot initiative takes a different approach to protecting PI, “privacy by vote.” Based on early polling data, the ballot initiative will likely pass on November 3rd. If the ballot initiative passes, businesses should begin mapping out a game plan to “redesign” their current CCPA compliance program to ensure they can implement all of the new requirements by January 1, 2023, the effective date of the CPRA. The new privacy risk assessment and cybersecurity audit requirements will be prescribed by regulation so stay tuned for additional information regarding those requirements and their effective dates.
Privacy is on the ballot this Fall in California, but privacy remains seasonless. Proposed privacy laws that incorporate provisions from the CPRA will likely be introduced in various state legislatures in 2021. The four seasons of 2022 may wind up being déjà vu as companies again, as they did in 2019, prepare to comply with new substantive privacy requirements in California. It may be time to order a grande pumpkin spice latte and sit down with some candy corn and a copy of the CPRA to learn more about this new privacy playbook – either now or mark your calendar for November 4th.