In a move signaling its intent to impose significant burdens on businesses subject to its regulations, the California Privacy Protection Agency (“Agency”) has published a set of draft regulations. Although these rules are not yet part of the formal rulemaking process, they focus on two key areas: risk assessments and cybersecurity audits. The draft regulations were made public in conjunction with the Agency’s Board meeting on September 8, 2023.
According to a detailed report published by Husch Blackwell LLP, this development is part of a broader trend towards rigorous privacy protection measures across multiple jurisdictions. The drafts provide insights into the Agency’s ongoing efforts to establish stringent regulatory requirements for corporate entities handling sensitive data.
The risk assessment draft regulation outlines a range of strategies to identify, evaluate, and mitigate privacy risks. Corporations will be required to perform comprehensive risk assessments regarding their data processing activities. The assessments need to consider any detrimental consequences that could befall individuals should their personal data be compromised.
Meanwhile, the cybersecurity audit draft regulation envisions more robust checks and balances for how corporations handle cybersecurity threats and vulnerabilities. Organizations will need to demonstrate an active commitment to cybersecurity practices, including but not limited to, regular audits, timely updates, and suitable contingency measures.
Though they are still in the draft stage, these proposed regulations set the tone for future obligations that businesses operating in California will need to comply with and mirror evolving data privacy trends in other significant markets. It is advisable for business and legal professionals to keep a close watch on the evolution of these regulations and consider proactive measures to ensure future compliance.