Navigating the 2024 Landscape of U.S. Privacy Regulations: Insights from CPRA Webinar Series

Privacy regulations for businesses operating in the United States and internationally will become more complex and compliance more challenging, according to Jennifer Sheridan, Principal, JL Sheridan Law. In the privacy law authority’s online discussion of the newest crop of California Privacy Rights Act (“CPRA”) rules, Sheridan suggests where companies should focus their efforts and resources.

The webinar, moderated by Paragon Legal’s Megan Kelly, builds upon the insights that Sheridan offered in our Part I webinar on the state of the California Consumer Privacy Act (“CCPA”) as modified by CPRA, which is recapped here. 

For 2024, Sheridan distilled the essentials for companies with privacy obligations in the areas of: 

• Impact assessments for high-risk processing, including targeted advertising
• Cybersecurity audits
• Automated decision-making (“ADM” or “ADMT”)
• Revised thresholds for businesses under CCPA as amended by CPRA
• Employee notices under CCPA as amended by CPRA
• Updated privacy policies for CPRA modifications of CCPA
• Upcoming state laws for 2024-2025 

Enforcement deadlines loom large. The Part I regulations were finalized March 30, 2023, and enforcement begins March 29, 2024, after a one-year grace period. There are three sets of Part II regulations pending. Finalization is estimated to occur between summer and fall 2024 and then become enforceable mid-to-late 2025.

A summary of Part II regulations follows with expansive details available in the webinar’s related documents. 

Impact Assessments for High-Risk Processing

For those in the high-risk category, the new rules for risk assessments are:

• Any CPPA covered business must conduct a Risk Assessment (“RA”) if it engages in high-risk processing of personal information.
• An abridged summary of the Risk Assessment must be filed annually with the CPPA.
• Upon request by CPPA, the company will provide the full RA to the agency.

Examples of high-risk processing include ‘targeted advertising’ or ‘behavioral advertising’ under CCPA; “selling or sharing personal information (PI); sensitive PI; ADMT (automated decision making technology); consumers under age 16 that business has actual knowledge of; and processing PI of consumers in publicly accessible places.

Sheridan called out one area to pay close attention: processing PI using technology to ‘monitor Employees, IC, job applicants, students.’ Examples of this monitoring would include keystroke loggers, productivity or attention monitors, facial or speech recognition, and location trackers, among others. 

The potential impact of these new rules is wide. They could apply to fares paid to ride-sharing providers, mobile dating app users, monitoring of grocery chain customers, and behavioral advertising. She cited Amazon’s recent $35 million fine for excessive employee surveillance in France as an example of the growing significance of GDPR style rules in the United States. 

Requirements of the Risk Assessment, as of December 8, 2023 are:

1. Summary of the processing;
2. Categories of PI processed;
3. Context of the processing;
4. Reasonable expectation regarding purpose and compatibility with context. 
5. Operational elements of the processing: adherence to data minimization principles, protocols for data retention; number of consumers affected; technology to be used; names of all service providers or third parties whom the information is shared (or provide explanation for not sharing their names);
6. Purpose of the processing – specific description of the purpose and how processing achieves it;
7. Benefits resulting from the processing; with specificity, including discussion of benefits probability and scale; 
8. Negative impacts on privacy from the processing: with specificity, encompassing sources of impact, as well as probability and extent of benefits. See Section 7152 (a) A-J pp 9-10.
9. Safeguards the business plans to implement to address the negative impacts, including an explanation of how they mitigate risks, and whether there are any residual risks; and 
10. Evaluation of whether the safeguards’ mitigation of negative impacts outweighs the benefits.

Sheridan suggests that companies look to their already adopted Data Protection Impact Assessments (DPIA) as a starting point for tackling the RA requirements.

Cybersecurity Audits

Certain businesses that meet the threshold must conduct annual (prescribed and independent) audits on their cybersecurity practices. The first step to compliance, according to Sheridan, is knowing which companies are covered: 

• ALL data brokers (d)(1)C);
• Other businesses who meet the two prong criteria:

$25m or greater revenue ((d)(1)(A) AND

Process certain types and volumes of PI as defined in (A), (B) and (C) – if the business processes any of them then it needs to conduct an audit.

• PI of 250,000 consumers in preceding calendar year; 
• Sensitive PI of 50,000 consumers in preceding calendar year; 
• PI of 50,000 or more consumers that business had actual knowledge were under 16 years old in preceding calendar year.

The draft regulations prescribe that the audit must be ‘independent’ but they claim that it can be an internal auditor IF it meets the definition and criteria of independent. See 7122 (1) and (2).

Sheridan flags audits as a particularly challenging obligation, with 18 specific technical and organizational safeguards in play. She anticipates most companies will need an external auditor. 

The initial audit is due 24 months following the finalization of the regulations, and then every 12 months following. And while that timeline may seem distant, Sheridan urged companies to start planning strategies and get assistance from privacy professionals now before the best resources are taken. 

ADMT (Automated Decision Making Technology)

To get our minds around ADMT-related regulations, it helps to define what’s covered. 

Basically, it involves any tech facilitating human decision making, in whole or in part. The decisions produce legal or similarly significant consumer effects, e.g., employment, loan, insurance. Additionally, profiling, as related to evaluations, preferences, and employee productivity, is involved. The three overarching requirements for ADMT are:

1. Risk Assessment (must be filed in abridged form)
2. Pre-use notice
3. Opt-out right. There are exceptions to the opt-out notices, which are generally quite narrow and not available for behavioral advertising. 

The RA for ADMT has a lengthy list of requirements, which are detailed in the program documents. Sheridan considers this another tough area to achieve compliance in and encourages covered businesses to put this on their radar now.

Up Next for CA Privacy Rules 

The likely scenarios unfolding in privacy regulations are decisions on the scope of employee monitoring, a deeper look at the negative harms in Risk Assessments, and considerations of the impact of the cybersecurity audit on California businesses. These issues were all discussed in the CPPA’s December 2023 board meeting. 

To prepare for Part II regs, Sheridan suggests that companies review CCPA Part I regs for compliance, including on privacy policy updates (right to correct), the opt-out update (“sell or share”), and new thresholds of what is a business (“buy, sell or share” replaced “buy, sell or receive”). 

To address Part II CPPA draft regs issued in 2023, watch for finalization of Risk Assessments, Cybersecurity Audits and ADMT regulations in 2024. Enforcement will begin in 2025. 

Where should covered businesses look for help to ensure compliance? 

Sheridan and Kelly offered a variety of resources, including privacy-focused organizations like the International Association of Privacy Professionals (IAPP) and alerts from CPPA. 

The regulations are complex, filled with grey areas, and require heavy documentation. Experienced specialists, from privacy compliance consultants to Paragon’s roster of project-ready privacy law attorneys, are a necessity, not a luxury, in Sheridan’s view. The best ones are being engaged now, and she predicts their expertise will be in such great demand that a “cottage industry” of privacy pros will emerge.

Dig deeper into the upcoming CCPA regulations in the webinar materials. To start strategizing,  you can contact Paragon Legal consultants focused on bespoke privacy compliance solutions.