Audits and risk assessments under the California Privacy Rights Act

Published on

The passage by the voters in November 2020 of the California Privacy Rights Act (CPRA) by initiative is a significant development for all businesses with activity in California. It expands upon the California Consumer Privacy Act (CCPA), creating additional rights for consumers and obligations for businesses. It also creates the first state agency in the state dedicated to privacy, the California Privacy Protection Agency (Agency).

Most of the provisions of the CPRA will not go into effect until January 1, 2023. However, the Agency will be formed in 2021 and regulations adopted in 2022. There are 22 areas where the CPRA directs the Agency to adopt regulations. This series looks at the crucial changes implementation of the CPRA will bring to the California landscape and predicts what businesses will need to do to prepare.

Audits and Risk Assessments

One of the CPRA's most impactful provisions will require businesses to conduct annual cybersecurity audits and "regular" risk assessments if the business's "processing of consumers' personal information presents significant risk to consumers' privacy or security." To determine if processing "may result in significant risk to the security of personal information," the CPRA identifies two factors to be considered: (1) the size and complexity of the business; and (2) the nature and scope of processing activities.

The Agency is directed to adopt regulations regarding these audits and risk assessments. However, the law in its current form provides some guidance. Businesses themselves will need to define the audit's scope and "establish a process to ensure that audits are thorough and independent." Risk assessments will be submitted to the Agency and will need to disclose if the processing includes sensitive personal information. If they disclose such processing, businesses will also need to identify and weigh the benefits and potential risks of the processing, "with the goal of restricting or prohibiting the processing if the risks to [the] privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public."

This risk assessment requirement is similar to the EU General Data Protection Regulation (GDPR) so it may be logical to look to the European experience for guidance. Both the European Data Protection Board and individual countries have issued guidance for businesses that clarify these requirements and made them more operational. Whether the Agency will provide similar direction about the type of processing subject to the audit and risk assessment requirements is an issue for businesses to watch.