Breaking New Ground: Understanding California’s Draft AI, Privacy, and Cybersecurity Regulations

Annual Cybersecurity Audits

One of the key provisions of the draft regulations is the mandatory annual cybersecurity audit for businesses that meet any one of certain criteria, including:

• Annual gross revenues exceeding $25 million
• Processing the personal information of one million or more consumers or households annually
• Handling sensitive personal data for at least 100,000 consumers
• Processing the personal information of at least 100,000 consumers that the business had actual knowledge were minors (e.g., below 16 years of age)
• Employing a specific number of employees (still to be determined)

As with earlier regulations, we expect that the annual gross revenue threshold will not be limited to revenue generated only in California or from California residents.

The audit aims to evaluate the effectiveness of a covered business’s cybersecurity measures and identify any vulnerabilities that could put consumer privacy at risk. Following the audit, covered businesses must submit either (1) a compliance certificate to the CPPA or (2) a written acknowledgement of non-compliance identifying the sections of the regulation the business was not compliant with, the extent of the non-compliance, and a remediation timeline to become compliant. Covered businesses will have 24 months from when these regulations come into effect to complete their initial audit, with annual audits required thereafter.

Automated Decision-Making and AI Risk Assessments

The draft regulations also recommend that covered businesses perform a risk assessment for any data processing activities that could substantially affect consumer privacy. This is particularly important for those using automated decision-making technologies or training AI systems using personal data.

Automated decision-making technologies are broadly defined as systems using personal information to make or execute decisions. AI, meanwhile, is termed as any engineered system capable of generating outputs — like predictions or recommendations — that can influence real-world conditions. These definitions encompass a wide array of applications, from online advertising to facial recognition.

Under the draft regulations, covered businesses using such technologies would need to evaluate both the benefits and risks to consumers. They would also have to provide plain-language disclosures about the technology’s purpose, the type of personal information being processed, and the system’s logic and accuracy.

One point under discussion is the frequency of updating these risk assessments. The possible options range from regular updates every three years to updating only when preparing to initiate a new processing activity. Notably, if a risk assessment finds consumer risks outweigh benefits, the covered business must refrain from proceeding with the data processing activity.

What This Means For You

If implemented, these draft regulations could impose substantial compliance obligations on covered businesses, especially those leveraging advanced technologies like AI and automated decision-making. Not only would there be the requirement for regular cybersecurity audits, but businesses would also need to document comprehensive risk assessments for any innovative data processing techniques. These responsibilities may entail considerable costs and could potentially delay the adoption of transformative technologies.