On August 28, 2023, the California Privacy Protection Agency (CPPA) made strides towards clarity and compliance in data privacy and cybersecurity. This came in the form of an initial draft release for proposed rules regarding privacy risk assessments and cybersecurity audits. Legal professionals, particularly those operating in and around California, have been on the edge of their seats, as these proposals represent progress on the long-awaited guidance on the requirements for risk assessments and cybersecurity audits under the California Privacy Rights Act (CPRA).
The draft proposed rules, which were brought to the table for discussion at the September 8, 2023 CPPA Board Meeting, are however still in their early stages. While they hold substantial implications for privacy and cybersecurity, they are not yet fully drafted and the CPPA has not begun a formal consideration process. This comes as a stark reminder of the evolving nature of data protection regulations, and consequently, the importance of keeping the finger on the pulse of policy developments – especially for corporations and law firms operating in or interacting with California.
Nonetheless, the release of these draft proposals represents a significant step forward in California’s data regulatory landscape. Despite being in their nascent stages, these proposals shed light on the state’s direction on matters concerning privacy risk assessments and cybersecurity audits. They also provide a snapshot—however incomplete—of what the eventual rules might encompass, giving corporations and law firms a head start in aligning their processes with the proposed regulations.
As with any legal reform, it’s crucial for relevant businesses and legal entities to stay apprised and proactive in response to these developments. Given the scope of the CPRA and the implications of the proposed rules, thorough understanding and preparation in anticipation of the final rule enactment are key to successful compliance.