On November 22, 2024, the California Privacy Protection Agency (CPPA) requested public comments on the California Consumer Privacy Act (CCPA) Regulations on Cyber Risk, Automated Decision-Making Technology (AMDT), and Insurance (the CCPA Regulations). Public comments may be submitted until January 14, 2025.

The CPPA highlighted the Proposed Regulations were published following the vote to commence formal rulemaking on November 8, 2024. 

Amendments to the CCR

The CCPA Regulations would amend Section 7002 of the California Code of Regulations (CCR) to clarify that a business must allow consumers to withdraw consent to collecting and processing personal information, unless an exception applies. Section 7003 of the CCR would be amended, requiring mobile apps to include a conspicuous link within the app for privacy-related links. Likewise, Section 7011 of the CCR is amended to require mobile apps to include a link to businesses' privacy policy, which must describe categories of sources and third parties in a meaningful and understanding manner.

Section 7010 of the CCR would be amended by the CCPA Regulations to require businesses that use ADMT to provide consumers with a pre-use notice, which includes a link through which consumers can opt out of the use of ADMT. However, there are exceptions to the use of the opt-out link. The right to opt out from ADMT must be explained alongside the right to access ADMT if businesses are using it. Notably, businesses must also provide a general description of the process used to verify a consumer's request to access ADMT.

In addition, Section 7024 of the CCR would be amended by the CCPA Regulations such that businesses provide a way for consumers to confirm that certain sensitive personal information the business maintains is what the consumer believes it should be. Where businesses deny a request to know in whole or in part, they must inform the CPPA or the Attorney General (AG).

Section 7050 of the CCR would be amended to clarify that the purposes for which a service provider or contractor retains, uses, or discloses personal information must be reasonably necessary and proportionate to serve the purposes listed in the CCPA Regulations.

Cybersecurity audits

Notably, with regard to cybersecurity audits, the CCPA Regulations detail what cybersecurity audits must cover. Specifically, audits must identify, assess, and document how a business's cybersecurity program protects personal information from unauthorized actions, and identify, assess, and document components of the business's cybersecurity program. Components include authentication, multi-factor authentication (MFA), encryption of personal information, account management, and access control.

Risk assessments

The CCPA Regulations require businesses to conduct a risk assessment when their processing of consumers' personal information presents a significant risk to consumers' privacy. This includes circumstances such as when a business:

• sells or shares personal information;
• processes sensitive personal information, subject to exceptions; or
• uses ADMT for a significant decision concerning a consumer or for extensive profiling.

The CCPA Regulations define 'extensive profiling' and 'significant decision' when it comes to ADMT. The requirements, contents, and aims of the risk assessment are also detailed under the CCPA Regulations.

California Insurance Code

Finally, the CCPA Regulations specify that insurance companies that meet the definitions of 'businesses' under the CCPA must comply with the CCPA regarding any personal information collected, used, processed, or retained that is not subject to the California Insurance Code. The CCPA Regulations recognize that the CCPA and California Insurance Code may overlap in their jurisdiction.

You can read the press release here, the Notice of Proposed Rulemaking here, and the Text of Proposed Rulemaking here.