In August, the California Privacy Protection Agency (CPPA) released its initial draft regulations for cybersecurity audits and risk assessments under the California Privacy Rights Act (CPRA). While the CPPA has not yet commenced its formal rulemaking process for these regulations, once finalized, businesses will be required to perform annual cybersecurity audits and regularly submit risk assessments to the CPPA related to their processing of personal information. Last week, at the “Privacy. Security. Risk. 2023” conference hosted by the International Association of Privacy Professionals (IAPP), Executive Director of the CPPA, Ashkan Soltani, indicated that the board will begin its discussions about these draft regulations at its yet-unscheduled November meeting. However, before these regulations become effective, the draft must go through the lengthy California regulatory process.

As currently drafted, the risk assessment regulations focus on privacy-related risks in the use of artificial intelligence and automated decision-making technologies. Note: risk assessments must be conducted and submitted to the CPPA where the business’ processing of personal information presents a significant risk to consumers’ privacy or security. What exactly does that mean? The draft regulations provide some examples, such as selling or sharing personal information, processing sensitive personal information, and processing the personal information of consumers to train AI or automated decision-making technologies.

As part of the lengthy rulemaking process, the CPPA will request public comment to the draft and then subsequently summarize the comments and respond to each one. After processing all of these public comments, the CPPA will compile and prepare its final rulemaking package. This package will include the text of the final regulations, documentation and materials relied upon in the drafting of the regulations, a final statement of reasons with attached appendices containing summaries and responses, and economic and fiscal impact statements. But when will this process really begin?

Well, if we look to the timeline and process for issuing the final CPRA regulations for an estimate, which took a little less than 250 days, the last round of cybersecurity audit and risk assessment regulations will likely go into effect in August or September 2024. However, since these regulations are narrower and cover less subject matter, developing this rulemaking package may not require as much time as the CPRA regulations.