The CPPA is continuing to provide operating rule guidance, getting more serious about the need for organizational risk assessment & full understanding of your organization’s data and usage/retention of Personal Information. While these are just draft rules, with the potential for change, we don’t anticipate they will diverge drastically.

The Risk Assessment Regulation draft covers critical concepts, such as artificial intelligence and automated decision-making technology, that the CPPA had been tasked with addressing. The Risk Assessment Regulation establishes requirements for service providers and contractors including providing consumers with “meaningful information” about their Automated Decision-Making Technology. Every covered business whose processing of consumer personal information “presents a significant risk to consumers’ privacy” is required to conduct a risk assessment before starting that processing, according to the Risk Assessment Regulation.

The draft is conceptually similar to the data protection impact assessments required by GDPR, the Colorado Privacy Act, and other state legislation, but has a few significant differences that sometimes go beyond current assessment requirements – setting a new risk assessment standard.

Inside the Draft Risk Assessment Regulation:

  • New definitions of “artificial intelligence” and “automated decision-making technology”
  • Examples of processing procedures that pose a serious risk to consumer privacy and call for a risk analysis
    • Selling or sharing personal information
    • Processing sensitive personal information
    • Using automated decision-making technology
    • Processing personal information of consumers that are identified as being under 16 years of age
    • Processing personal information of employees, independent contractors, job applicants or students using technology that monitors them such as keystroke loggers, location trackers, and facial or speech recognition or detection
    • Processing consumer PI in public places using technology to monitor consumers’ behavior, location, movements or actions
    • Processing personal information to train artificial intelligence or automated decision-making technology
  • Content to be included in risk assessments
  • Further guidelines for companies utilizing automated decision-making tools or handling personal data for machine learning or automated decision-making
  • CPPA submission guidelines for assessments

The CPPA will meet September 8th for further discussion for the Risk Assessment Regulation and the simultaneously released Cybersecurity Audit. While both have available drafts, they are subject to change. Truyo will continue to release information on these assessments as it becomes available.

About Ale Johnson

Ale Johnson is the Marketing Manager at Truyo.