Ahead of its December 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft risk assessment regulations. The CPPA has yet to initiate the formal rulemaking process and has stated that it expects to begin formal rulemaking next year, at which time it will also consider draft regulations covering “automated decisionmaking technology” (ADMT), cybersecurity audits, and revisions to existing regulations. Accordingly, the draft risk assessment regulations are subject to change. Below are the key takeaways:
When a Risk Assessment is Required: The draft regulations would require businesses to conduct a risk assessment before processing consumers’ personal information in a manner that “presents significant risk to consumers’ privacy.” The draft regulations identify several activities that would present such risk:
- Selling or sharing personal information;
- Processing sensitive personal information (except in certain situations involving employees and independent contractors);
- Using ADMT (1) for a decision that produces legal or similarly significant effects concerning a consumer, (2) to profile a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student, (3) to profile a consumer while they are in a public place, or (4) for profiling for behavioral advertising; or
- Processing a consumer’s personal information if the business has actual knowledge the consumer is under 16.
The draft regulations also contemplate imposing risk assessment requirements where a business processes consumers’ personal information to train ADMT or artificial intelligence used for certain purposes, including:
- The uses of ADMT described above;
- Establishing individual identity based on biometric information;
- Facial-, speech-, or emotion-detection;
- Generating deep fakes; or
- Operating generative models, including large language models.
The draft regulations would require businesses engaged in such training-related processing to make additional disclosures to “recipient-businesses” that are given access to the resulting ADMT. The draft regulations would also require businesses to document their compliance with applicable disclosure requirements in their risk assessments.
Risk Assessments Requirements
The draft regulations would require that risk assessments contain a range of information including, for example:
- A description of the data to be processed and the “operational elements” of the processing;
- An evaluation of the benefits associated with the processing for the business, consumers, and others, as compared against any negative privacy impacts on consumers; and
- A description of the safeguards that the business will put in place to mitigate the processing’s negative privacy impacts on consumers.
As mentioned above, the draft regulations would require additional disclosures for businesses using ADMT for certain purposes. In such cases a business’ risk assessment would need to provide additional information, including:
- An explanation of how the business evaluates the “validity, reliability, and fairness” of the ADMT;
- An explanation of whether the business evaluated other versions of the ADMT for validity, reliability, and fairness, and why it selected the specific ADMT;
- A description of the need for human involvement (or lack thereof) in the business’ use of the ADMT; and
- An explanation of the ADMT’s logic, including any assumptions.