BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

CPPA Finalizes New Package of Regulations

In a recent LawFlash, a team of Morgan Lewis lawyers discussed new regulations concerning automated decision-making technology (ADMT), cybersecurity audits, and risk assessments that were finalized by the board of the California Privacy Protection Agency (CPPA). While the CPPA also revised existing regulations, the new regulations impose additional requirements on businesses operating in California, particularly with respect to those using ADMT to make significant decisions without human involvement.

The new regulations clarify what the CPPA board considers to be a “significant decision” as made by ADMT. At a high level, significant decisions include those related to financial services, housing, education, employment, or healthcare. If any of those industries are implicated, businesses must ensure human oversight for these decisions and provide clear notices to consumers.

Additionally, the CPPA board now mandates cybersecurity audits for businesses where personal information processing poses a “significant risk” to consumer privacy. Among other requirements, these audits must be conducted annually by an independent auditor and cover various security aspects, including encryption, access controls, and incident response management. The timeline for compliance is phased based on business size, with audits starting in 2027 for larger companies.

Finally, the CPPA board has moved to require risk assessments when there is a significant risk to consumer privacy posed by a company’s operations, such as selling personal information or using ADMT for significant decisions. Businesses must update these assessments every three years and submit summary reports to the CPPA.

The LawFlash includes a more thorough discussion of these and the other implications of the new CPPA regulations, which are now pending final approval by the Office of Administrative Law. While the Office of Administrative Law has 30 days to approve the rules, businesses may want to begin evaluating compliance preparations based on the nature and scale of their operations. Together with our colleagues specializing in cybersecurity, incident response, and privacy, Tech & Sourcing @ Morgan Lewis will continue to monitor the evolving landscape of state and federal privacy regulations.