Summary:
Le 1er mai 2025, la California Privacy Protection Agency (CPPA) a publié un projet révisé de régulations visant à clarifier les exigences sur la technologie de décision automatisée, les audits de cybersécurité et les évaluations des risques en matière de confidentialité. Les modifications incluent une définition affinée de la technologie de décision automatisée, des exigences d’audit de cybersécurité simplifiées et une meilleure précision dans les évaluations des risques. Un délai de conformité a également été introduit, les entreprises devant se conformer aux nouvelles exigences au plus tard le 1er janvier 2027.
Original Link:
Original Article:
On May 1, 2025, the California Privacy Protection Agency (CPPA) released a revised draft of its regulations. These modifications, issued in response to public comments on earlier drafts, aim to clarify and simplify key requirements around three main areas: automated decisionmaking technology (“ADMT”), cybersecurity audits, and privacy risk assessments.
### Automated Decisionmaking Technology
– **Refined Definition:** The definition of “automated decisionmaking technology” in Section 7001(e) of the regulations is narrowed to cover tools that “substantially replace human decisionmaking,” a term now defined in the regulations:
– “For purposes of this definition, to “substantially replace human decisionmaking” means a business uses the technology’s output to make a decision without human involvement.
– Human involvement requires the human reviewer to:
– Know how to interpret and use the technology’s output to make the decision;
– Review and analyze the output of the technology, and any other information that is relevant to make or change the decision; and
– Have the authority to make or change the decision based on their analysis in subsection (B).”
– The CPPA also deleted earlier definitions of “artificial intelligence” and “deepfake” as unnecessary, streamlining the terminology.
– **Notice to Consumers:** New language in Section 7220(d) clarifies how and when businesses must give notice about ADMT use. A “Pre-Use Notice” must “be presented prominently and conspicuously” to the consumer “at or before” the point at which data collection occurs.
– **Consumer Opt-Out and Exceptions:** The draft regulations continue to give consumers the right to opt out of ADMT-driven decisions. Revised provisions in Section 7221(b) outline exceptions.
– **Extended Compliance Timeline:** To help businesses adjust, the CPPA introduced a compliance grace period, requiring full compliance with all Article 11 (ADMT) requirements by January 1, 2027.
### Cybersecurity Audits
– **Clarified Scope and Terminology:** The revised draft creates a more organized framework for annual cybersecurity audits.
– **Increased Flexibility:** Several changes aim to make the audit process more practical. Only the “highest-ranking auditor” now needs to sign off and certify the audit.
### Risk Assessments
– **Content Requirements and Definitions:** The updated draft provides more precision in how businesses conduct and document privacy risk assessments.
– **ADMT Providers’ Duties:** Section 7153 clarifies responsibilities for businesses offering ADMT on behalf of others.
– **Purpose and Updates:** The draft underscores that the goal of a risk assessment is to determine whether privacy risks outweigh the benefits of processing.
– **Submission to the Agency:** The procedure for submitting risk assessment results to the CPPA has been reworked for simplicity and clarity.
### Next Steps
These revised regulations are not yet final. The CPPA intends to open a 15-day public comment period on the changes, after which the agency could formally adopt the rules, with potential further revisions.