Breaking New Ground: Understanding California’s Draft AI, Privacy, and Cybersecurity Regulations

Annual Cybersecurity Audits

One of the key provisions of the draft regulations is the mandatory annual cybersecurity audit for businesses that meet any one of certain criteria, including:

• Annual gross revenues exceeding $25 million
• Processing the personal information of one million or more consumers or households annually
• Handling sensitive personal data for at least 100,000 consumers
• Processing the personal information of at least 100,000 consumers that the business had actual knowledge were minors (e.g., below 16 years of age)
• Employing a specific number of employees (still to be determined)

As with earlier regulations, we expect that the annual gross revenue threshold will not be limited to revenue generated only in California or from California residents.

The audit aims to evaluate the effectiveness of a covered business’s cybersecurity measures and identify any vulnerabilities that could put consumer privacy at risk. Following the audit, covered businesses must submit either (1) a compliance certificate to the CPPA or (2) a written acknowledgement of non-compliance identifying the sections of the regulation the business was not compliant with, the extent of the non-compliance, and a remediation timeline to become compliant. Covered businesses will have 24 months from when these regulations come into effect to complete their initial audit, with annual audits required thereafter.

Automated Decision-Making and AI Risk Assessments

The draft regulations also recommend that… Read more