ARTICLE
12 October 2023

California Proposes Cybersecurity Requirements For Businesses

KG
K&L Gates

Contributor

K&L Gates logo
At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
Explore
In recognition of Cybersecurity Awareness Month in the US, we will be bringing awareness to relevant 2023 cybersecurity updates each week.
United States Technology
Photo of Eric F. Vicente Flores
Photo of Avril G. Love
Photo of Whitney E. McCollum
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In recognition of Cybersecurity Awareness Month in the US, we will be bringing awareness to relevant 2023 cybersecurity updates each week.

On 28 August, the California Privacy Protection Agency (CPPA) published draft regulations regarding risk assessments and cybersecurity audits for consideration at the Board's September meeting. The draft regulations precede the formal rulemaking process, but provide insight into CPPA's current priorities.

While the scope of the draft regulations is still indeterminate, we expect applicability to be narrower than the CCPA but with significant obligations for businesses that are subject to the final regulations.

For example, under the draft regulations, risk assessments are triggered by the processing of specific personal information (sensitive or children's), with either certain technologies (e.g., monitoring in employment or public environments), or for certain uses (selling, sharing it for targeting advertising, using automated decision making technology for significant decisions, or to train artificial intelligence or automated decision-making technology). Risk assessments dictate whether processing will be permitted, with such processing to occur only when the benefits outweigh the risks. The frequency of risk assessments is still undetermined, but there will be annual reporting to the CPPA.

Proposed cybersecurity audits are triggered by certain personal information uses (selling, sharing it for targeting advertising), a business's gross annual revenue (amount undetermined), or the volume of consumer data processed (amount and type undetermined). A qualified, independent professional would conduct the cybersecurity audits and make a report to the CPPA. The draft regulations contain detailed requirements for conducting cybersecurity audits.

The CPPA intends to release an updated draft and start the formal rulemaking process prior to its next meeting. Afterwards, comments on the formal draft will be accepted for 45 days.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.

Authors
Photo of Eric F. Vicente Flores
Eric F. Vicente Flores
Photo of Avril G. Love
Avril G. Love
Photo of Whitney E. McCollum
Whitney E. McCollum
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More