CPPA publishes draft regulations for cybersecurity and risk assessments

Julie Rubash, Chief Privacy Counsel
September 5, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

CPPA Publishes Draft REGULATIONS FOR Cybersecurity and Risk AssessmentS

The California Privacy Protection Agency (CPPA), as part of the meeting records for its September 8 board meeting, published two sets of draft regulations, covering cybersecurity and risk assessments, respectively.

Cybersecurity regulations

The draft cybersecurity regulations would, among other requirements, obligate businesses whose processing of personal information presents “significant risk” to consumers’ security (according to factors set out in the regulations) to complete cybersecurity audits using an independent auditor, within 24 months and annually thereafter.

Service providers and contractors would be obligated to cooperate with such cybersecurity audits.

Risk assessment regulations

The draft risk assessment regulations would require businesses whose processing of personal data presents “significant risk” to consumers’ privacy to conduct a risk assessment before initiating the processing and would obligate service providers and contractors to cooperate with such assessments.

“Significant risk” is defined according to certain categories set out in the regulations, which includes, among other categories, any sale or sharing of personal information or processing of sensitive personal information.

The risk assessment would need to meet certain requirements, including, among other factors, a description of the consumers’ reasonable expectations concerning the purpose for the processing and whether there was impairment of consumer control over the processing or coercion of the consumers into allowing the processing. 

The draft regulations also set out additional requirements for assessment for businesses using or training automated decision-making technology or training AI. 


The draft risk assessment regulations include, as an example of a business that would have to conduct a risk assessment, a business that seeks to target consumers with payday loan behavioral advertising on different websites based on data collected from a personal-budgeting application into which consumers enter their financial information, including income.

Although this example may fall into multiple of the categories cited in the regulations, the example says that the business must conduct a risk assessment “because it seeks to share personal information”.

The regulations also mention targeted advertising when listing examples of negative impacts businesses must consider as part of their assessments.

Specifically, the regulations note the “stress and anxiety from regularly targeting a consumer who visits websites for substance abuse resources with advertisements for alcohol” as an example of psychological harm that could result from personal information processing.

Planned Parenthood Sued Over Web Tracking Allegations

class action has been filed against Planned Parenthood, based on allegations the reproductive healthcare provider shared sensitive personal information with Meta, Google, Microsoft and Yahoo through tracking codes embedded on Planned Parenthood’s website without user consent.

The complaint asserts violations of California’s anti-wiretapping law (CIPA) and the California Confidentiality of Medical Information Act, which requires that health care providers obtain consent for disclosure of medical information regarding a patient.


Class action lawsuits filed under state and federal anti-wiretapping laws have been increasingly filed with respect to third party web trackers like those listed in this complaint, and not just relating to sensitive personal information.

The laws differ slightly from state to state, but most impose liability for reading the contents of a communication while in transit without consent of all parties to the communication.

In the context of web trackers, complainants claim that third party collection of consumer personal information through such trackers without consent constitutes the unauthorized reading of a communication between the user and the website. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

What are the privacy laws in Canada?

June 6, 2024

Everything you need to know about PIPEDA and Quebec’s...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]