State Privacy Updates - 9/1

State Privacy Updates - 9/1

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the US states. Here's everything you need to know since our last issue:

1. Draft California Regulations on Cybersecurity Audits and Risk Assessments Published

In advance of its September 8th Board Meeting, the California Privacy Protection Agency (CPPA) has posted draft regulations from the New Rules Subcommittee covering Risk Assessments and Cybersecurity Audits. On several topics, the draft rules set out different regulatory options for consideration by the full Board, suggesting that the Agency is not yet ready to begin formal rulemaking procedures on these documents at its upcoming meeting. Notably absent are draft regulations concerning access and opt-out rights with respect to automated decisionmaking technology (ADMT), which the Subcommittee is also actively drafting.

The draft requirements for both risk assessments (20 pages) and cybersecurity audits (16 pages) are expansive and highly specific. Rather than attempt to summarize these requirements in their entity, below we share key takeaways:

  • Artificial Intelligence: The Agency's previous "conceptual language" for access and opt-out rights with respect to automated decisionmaking technology turned heads for its breadth relative to other jurisdictions. For example, the conceptual language extends to systems that process personal data that merely "facilitate human decisionmaking" (rather than reach final decisions) and lacks exclusions for ADMT systems with de minimis impact to individuals or communities. The latest draft regulations on risk assessments include similarly broad definitions of both "Artificial Intelligence" and "Automated Decisionmaking Technology"; however, the effect of these broad definitions is narrowed by a separate trigger provision that will only require businesses to conduct risk assessments for ADMT that is used in "furtherance of a decision that results in the provision or denial" of significant life opportunities. Like Colorado's (long since finalized) privacy regulations, the California draft rules include additional assessment requirements for the use of ADMT, such as a plain language explanation of how the business evaluates its covered ADMT systems for validity, reliability, and fairness. Notably, if a business did not consult relevant external parties in conducting a risk assessment of a covered ADMT system, it will be required to explain why. Finally, the Board is also considering requiring organizations to update their ADMT assessments more frequently than their assessments of other significantly risky processing activities (currently penciled in for once every three years or upon a material change in the activity).
  • Reasonable Consumer Expectations: One of the most significant (and under-explored) elements of the Agency's existing CCPA regulations is Section 7002, which establishes purpose limitation requirements tied to the "reasonable expectations of the consumer(s) whose personal information is collected or processed." The draft regulations would build on this requirement by providing that risk assessments shall include information on the consumers' reasonable expectations concerning the purpose for processing their data or the purpose's compatibility in the context in which the data is collected.
  • Restrictions on Processing: In its direction that the Agency promulgate regulations on risk assessments, the CCPA confusingly states that risk assessments should have the "goal of restricting or prohibiting such processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public." The draft regulations bring clarity to this ambiguous language by affirmatively stating that businesses shall not process personal information if a risk assessment determines that the risks to consumers' privacy outweigh the identified benefits.
  • Internal Cybersecurity Audits: The draft regulations provide that a businesses annual cybersecurity audit may be conducted by an auditor who is either external or internal to the business, provided that certain mechanisms and reporting structures are in place to ensure the auditor's objective and impartial judgment.
  • Filing Risk Assessments: The CCPA appears to contemplate requiring businesses to affirmatively submit all of their risk assessments to the Agency on a regular basis - which would be both a unique and obviously operationally challenging requirement (particularly for the Agency). In the draft regulations, the Agency backs off from this statutory provision and will instead require companies to annually certify and submit an "abridged form" of their risk assessments. The content of these abridged filings has yet to be established.

2. Colorado On Verge of Adopting Rules for Life Insurer use of Artificial Intelligence

On Thursday, August 31 the Colorado Department of Regulatory Agencies - Division of Insurance held a rulemaking hearing on proposed rules establishing “governance and risk management requirements for life insurers that use external consumer data and information sources (ECDIS), as well as algorithms and predictive models that use ECDIS.” The draft rules provide 13 components for governance and risk management frameworks that life insurers must maintain in order to detect and remediate potential unfair discrimination. The draft regulations are scheduled to take effect on October 30 of this year and the Division will continue to collect written comments through September 6th.

3. Pennsylvania Schedules Informational Hearing on Comprehensive Privacy Bill

The Pennsylvania House Commerce Committee is scheduled to host an "informational hearing" on September 6th concerning the Pennsylvania Consumer Data Privacy Act (HB 1201), a comprehensive privacy bill. HB 1201 is a Democratic lawmaker-led proposal that will be largely familiar to anyone who has experience with the Connecticut Data Privacy Act. However, there are a couple of unique wrinkles, mostly involving covered data, for example:

  • Unlike similar Washington Privacy Act-style bills, HB 1201 uses a California-style definition of "personal data" which includes a list of example data categories.
  • The definition of "Publicly Available Information" (which is, of course, excluded from the requirements of the Act), is narrower than existing state laws, providing that information lawfully made available from government records is not considered publicly accessible if "used for a purpose that is not compatible with the purpose for which" it was published.

While Pennsylvania's legislative session runs through the end of the year, it is unclear whether this "informational" hearing signals momentum for consumer privacy in Keystone State.

4. Wisconsin Creates AI Task Forces

On August 23rd, Wisconsin Governor Evers signed an executive order creating a task force on Workforce and Artificial Intelligence within the Department of Workforce Development. The express purpose of the task force is to create an action plan for the Governor that includes identifying "the current state of generative artificial intelligence’s impact on Wisconsin’s labor market and develop informed predictions regarding its impact for the near term and into the future."

Separately, on August 24th, Assembly Speaker Robin Vos announced the formation of a somewhat broader bipartisan AI task force that, per the Wisconsin Examiner, "will look at various AI tools — including automated decision tools, facial recognition and generative AI — and study its potential as well as ways of deploying the technology responsibly and ethically."

5. California Suspense File Results

Updated September 4

Friday marked a significant procedural hurdle for legislation in the state of California as hundreds of bills with a budgetary impact either cleared the House and Senate Appropriations Committees or unceremoniously perished on the Suspense File. Notably:

  1. AB 302: Directing an inventory of high-risk automated decision systems used by the government Advanced with Amendments changing the definition of covered state agencies.
  2. AB 1546: Extending the Attorney General’s statute of limitations for enforcing CCPA violations from 1 to 5 years (matching that of the CPPA) Failed.
  3. SB 362: Establishing a mechanism through which consumers may submit bulk deletion requests through the California Data Broker Registry Advanced with Amendments. SB 362's right to delete was brought in greater alignment with the CCPA by extending the timeline to respond to deletion requests from 31 to 45 days and incorporating the CCPA's exemptions to the right to delete.

As always, thanks for stopping by.


Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum.

Matthew R.

Director @ CIPL | Privacy, Data, and Technology Policy

1y

Terrific insights here, thank you, Keir!

Keir Lamont

Senior Director at the Future of Privacy Forum

1y

Article has been updated with results from California's Suspense File hearings.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics