California Takes Steps Forward to Regulating AI and Cybersecurity

Penka Hristovska
Penka Hristovska Senior Editor
Penka Hristovska Penka Hristovska Senior Editor

The state of California is making a serious effort to boost cybersecurity, improve risk assessment, and regulate the use of AI (Artificial Intelligence) technology.

California’s consumer privacy regulator, the California Privacy Protection Agency (CPPA), released a draft of proposed changes and revisions aimed at introducing better privacy measures.

CPPA is seeking to regulate automated decision-making technology (ADT), which, per the draft, is any system or software that analyzes personal data using advanced computer algorithms to either make decisions or help in decision-making.

The proposed regulations introduce specific criteria for when businesses must notify consumers, offer them an opt-out choice, and provide access to their data, in the context of ADT. These criteria include situations where ADT significantly affects consumers legally — for example, when used in profiling activities for employment, public spaces, targeted advertising, and when the consumer profile is younger than 16 years.

CPPA is also looking to refine the criteria for mandatory cybersecurity audits for businesses that would evaluate potential harms caused by data breaches, including economic, psychological, physical, and reputation damages to consumers. The privacy regulator is proposing a dual threshold: businesses with at least $25 million in yearly revenue and businesses that process a significant amount of personal data.

For the latter group of businesses specifically, the audit requirement kicks in when a business, in the previous year, processed data of 50,000 or more consumers under 16 years old, sensitive data of 50,000 or more consumers, or personal information of 250,000 or more consumers.

Finally, under California’s proposed regulations, businesses will also need to perform risk assessments when they process personal information in a way that poses a significant privacy threat for consumers. This includes activities like processing sensitive information,  selling or sharing personal data, and using ADT to make impactful decisions, to profile consumers in various roles.

The regulator wants to reduce the 24 month-period that businesses currently have to submit and update their initial risk assessment. Additionally, the CPPA board is suggesting that they’re allowed to request risk assessments with a 5-day response time, and involve the Attorney General in these requests. Businesses would also be required to notify CPPA of any changes in their data processing techniques or strategies.

The subcommittee will now refine the proposed changes and return them to the board for a final review before they’re opened for public commentary.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.