We Get Privacy — Episode 18: Preparing for the CCPA’s New Risk Assessment Rules

Transcript

Joe Lazzarotti
Principal, Tampa

Welcome to the We Get Privacy Podcast. I'm Joe Lazzarotti, and I'm joined by my co-host, Damon Silver. Damon and I co-lead the Privacy, AI, and Cybersecurity Group at Jackson Lewis, and in that role, we receive a variety of questions every day from our clients, all of which boil down to the core question of how do we handle our data safely? In other words, how do we leverage all of the great things data can do for our organization without running headfirst into a wall of legal risk, and how can we manage that risk without unnecessarily hindering our business operations?

Damon Silver
Principal, New York City

On each episode of the podcast, Joe and I talk through a common question that we're getting from our clients. We talk it through in the same way that we would with our clients, meaning with a focus on the practical. What are the legal risks? What options are available to manage those risks, and what should we be mindful of from an execution perspective? 

Joe, our question for today is: the CCPA had some new regulations come out that were finalized earlier this year. One of the major areas that they tackled was risk assessments. Our question today is, how do we prepare for these new risk assessment regulations? Joe, to get us started, what are the types of activities that would trigger this risk assessment obligation?

Lazzarotti

Glad they gave companies a little bit of time too, as we'll see, to get up to speed on these rules and to actually perform this step. At the outset, in terms of what is a risk assessment and when might companies have to perform one, what the rules are trying to get at is to say, look, there are certain things that they view as presenting, what the rules call a significant risk to consumer privacy. The idea is businesses engage in a whole host of processing activities involving personal information, and the activity itself plus the type of information involved, those things can come together and pose a significant risk to consumer privacy. 

Some of the types of activities that the rules say warrant a risk assessment include if the organization is selling or sharing personal information. An important thing about that, and not just that but other things in the CCPA, like any comprehensive regulation, is those terms are all defined. We won't get into those terms today, but it's important to understand: are we selling and are we sharing personal information? Those terms aren't necessarily what you think, particularly if you're not familiar with the CCPA.

Another activity is processing sensitive personal information, another defined term that outlines personal information that has greater sensitivity according to the regulators. We're talking about things like geolocation data, race and ethnicity, religious beliefs and genetic information. There's an exception there for certain activities in the HR space, like payroll and benefits administration, things like that.

The third activity is using automated decision-making technologies, ADMT, for making significant decisions. We won't dive into that too far. We have another episode that talks a lot about ADMT, so definitely look for that. 

Then there's profiling individuals through systemic or systematic observation when they're acting in their capacity in connection with an educational program, a job applicant, student, employee or independent contractor. There we're talking about when the rules talk about systematic observation, some kind of methodical or regular or continuous observation through, say, Wi-Fi or a camera, geofencing, for example, location trackers, these types of monitoring or tracking of individuals. 

Another area is profiling based on sensitive locations. Just in case you didn’t know, legal service offices, like where we are, that’s a sensitive location. Some other ones include educational institutions, healthcare facilities, and so on. If you're involved in that kind of activity, a risk assessment might be warranted.

Last, processing personal information to train an automated decision-making technology to make significant decisions by using facial recognition, biometric data, or other information to identify individuals. There are a range of areas that an organization might get involved with and the types of information that it uses that could trigger an assessment obligation.

Silver

Joe, that was very helpful. As you can see, there are quite a few different types of activities that, as you mentioned, either because of the data involved or because of the activity itself, are considered higher risk. As businesses look through some of the ways that they're processing data now, they're going to be probably unpleasantly surprised at how many common activities they are engaging in now that arguably are going to trigger this risk assessment requirement.

Joe, let's assume we're advising a business that is engaging in one or probably multiple of these activities and that they need to do a risk assessment. What does that process look like? What are some of the key factors? I know there are quite a few, so we could pause on each of them and flesh it out a little bit.

Lazzarotti

The one to start with is who should be involved in doing that assessment. I know one of the key issues there is obviously if someone's going to be involved in an assessment, they would need to understand what the technology does in terms of collecting and how it processes that data.

One of the issues that comes up, Damon, you can talk to this a little bit, is a lot of these processing activities are going to involve a third party. What does that look like in terms of someone at the company, the organization, doing an assessment, but also having to cooperate with a third party to get the information that's necessary for the assessment?

Silver

That's a great question, Joe. It does put a spotlight, and there are a lot of reasons to have a spotlight, on vendor management and on vendor contracting. This is another place beyond what security controls are in place and what restrictions on the use of data, where you really do want to make sure you understand what your vendor's doing. 

Also, to the extent you can, you want to secure, via your contracts, cooperation from that vendor in providing what you need, because you're not generally going to be able to outsource all responsibility for doing risk assessment onto an outside party. Even though it's their tools and their environment that's processing the data, they're processing it on your behalf. That is going to be a potential blind spot that businesses will definitely need to be mindful of and also a challenge, and a reason why you probably want to get started with this process early because it is going to take longer than expected to collect all the information needed, including from these outside parties.

Lazzarotti

I was thinking about that as you were talking because the general rule for a risk assessment process is that you should be doing the assessment before the activity begins. Otherwise, what's the point? Knowing that, as there usually is in a regular set of rules like this, some timelines that you have to adhere to when you conduct these assessments. You can talk about that a little bit in terms of when these assessments have to be performed and what's a good way to approach thinking about this ahead of time, working with the vendor so that you're getting these assessments completed. 

One other thing we'll get to is there's a reporting obligation as well that you have to satisfy. Think about that. How should companies be thinking about that and what's the plan?

Silver

For activities that would trigger the risk assessment obligation that began prior to January 1^st of this year and that are continuing afterward, you have an obligation to complete the assessment by December 31, 2027. For activities that began after January 1, 2026, as you mentioned, Joe, you are supposed to be conducting the risk assessment prior to commencing the activity. Then, on a going-forward basis, you're required at least once every three years to refresh your assessment, or if there is a material change in, say, what personal information is being processed or the purpose for the processing or some other factor that influences the risk to the data subject, you're supposed to, within 45 days of that change, do an assessment. 

This is going to be an ongoing process. For those activities that predated January 1^st, December 31^st of next year does feel far off now. But the truth is, given how many activities may be in scope, how many other parties may be involved, how many internal stakeholders may need to get involved in order to do these assessments, and then the fact that, for new activities beginning after January 1^st of this year, you're going to have to do it immediately. This is definitely not something that you're going to want to wait on very long. You're going to want to have a framework in place to deal with those pre-existing activities and also to make sure that before people are greenlighting new activities that are going to trigger the requirement. You're doing the assessment first, because as you mentioned, there is a reporting obligation and the reports don't have to be submitted. Again, this is going to feel far off until at the earliest April 1, 2028, but they are going to cover the period that we are in now. Lapses in compliance now are going to cause problems later.

Lazzarotti

We do a lot of advice for clients around AI governance, and we talk quite a bit about how change management is important, inventorying. We were talking about this recently: having to inventory use cases and tools in order to be able to understand what type of tool you have, what type of output you might expect, and all this kind of stuff. You just mentioned that there's now this requirement, and you're not just talking about a specific AI tool. You're talking about what could be common activities in an organization to monitor customers or record calls.

We can talk about different types of activities, but those activities could change. Sometimes they may even change by the vendor, just going back to the vendor, or they may change by someone in IT. They may change by someone in sales who wants to collect a different element of information because they feel like it may help advance the sales process more efficiently. How do you manage that change process? It seems like it's an internal education that people need to be more aware of. Even though they think they're doing the right thing or trying to help the company, it could create a compliance obligation that they didn't even realize existed. What do you think about that in terms of how to focus on that?

Silver

There definitely has to be continuous education of your workforce on this issue. If you look at AI meeting assistant, there is a feature that could be turned on that uses voice recognition to identify the parties to a call for purposes of creating the transcript, even if the platform isn't able to identify people based on their login. There are different features out there that could change the analysis. In addition to making people aware that they shouldn't just roll with these new features, they need to make sure that everything's been approved.

You also need to, at the front end, really make sure you have a handle on the tools you're using, how those tools work, and then you need to revisit that regularly because you may have done an initial assessment of a tool that you onboarded, but that tool may look very different now than it did three months ago or six months ago. There needs to be a regular cadence to a review of your inventory of tools to make sure that there hasn't been a change that would necessitate doing a fresh risk assessment or revising your risk assessment in some way.

Joe Lazzarotti

That makes a lot of sense. We could probably take us back to one of the other elements, probably the most critical element perhaps in the risk assessment process, which is cost-benefit. You have to look at the purposes and objectives of conducting the risk assessment, figuring out what the benefits of processing that data are, and then what the impact on consumer privacy is of doing it in that way.

Then, factoring in: should we restrict the processing if that's not the case? That is, if the process of going through the activity you want to go through and the benefits from that do not outweigh consumer privacy. The rules are going to probably want you to restrict that processing so that you don't have that imbalance. At the same time, I don't know what you think about this, Damon, but there's the concept that we talk about a lot, which is data minimization. It's probably an expectation in this process that you would have factored that in. Talk about that a little bit as well. I think that's an important point.

Silver

Data minimization is built into the CCPA generally. There is this obligation to only collect and use and disclose and retain what is minimally necessary for a particular purpose. When it comes to doing this cost-benefit analysis, it may be the case that the risk to consumers of a certain activity is very high if you are going to be processing a very large volume of consumer data or if you're going to be using sensitive personal information, even though it's not necessarily imperative to what's being done. The data minimization obligation generally aligns with being able to engage in this activity because you've determined the benefits outweigh the negative impacts. They fortunately paddle in the same direction in the sense that by abiding by the minimum necessary principle, you are more likely to place yourself in a position where you can say that the risks are sufficiently low and the benefits are sufficiently high that this is a permissible activity. To do that, though, you do need to be thoughtful about how you're using the tool, why the tool is a benefit, both to you, the business, and also to the data subject. You also need to think through the potential risks and whether some of those risks could be mitigated.

One of the risks that's identified is whether there is a risk of a breach or unauthorized access to this information. Are there steps you could take, like encryption or access controls, that would mitigate that risk? Or if there's risk of discrimination, does it make sense to do a bias audit? Or if there's risk of intrusion on someone's privacy rights, are there things you can change in terms of the activity that make those risks less concerning? 

There probably will not be many use cases, Joe, where it's a clear-cut absolutely yes, you can do this or absolutely no, you cannot. What they're looking for, it seems, via these regulations is to make you go through the process of thinking about it. If you're going to green-light one of these activities that's potentially high risk, you need to think about how you're going to structure it so that you are able to show that that benefit sufficiently outweighs that risk. If you're challenged on it later, you obviously want to make sure that you have documentation in place to show that you went through this process and that you arrived at a defensible conclusion.

Joe Lazzarotti

That is the final part on risk assessments. What is a key component of that process? What do you document? What should that report look like? What does it need to look like? Some of the things that are in the rules: one, you have to identify those people. It's not just about naming the right people or thinking about who should be the right person. You're going to have to name that person in your report. You have to set forth the processing purpose, and

the rules say it has to be with specificity. You can't just say, for the good of the business. It has to be a specific description of the process. You have to list the categories of personal information and sensitive personal information that you anticipate collecting, processing details, how you're collecting it, whether you're going to retain it, and how many people are affected. Kind of the who, what, where, and why of what you're going to be doing in terms of processing.

Talking about the benefits, the negative impacts, a lot of what you just talked about, Damon, safeguards, and just making a determination of whether your anticipated activity outweighs the impact on consumer privacy, all that needs to be documented. There's a retention period of the longer of the processing activity continuing or five years. It is something that is going to necessitate some type of regular, of course, depending on your activity and whether you are doing things that call for a risk assessment. It makes good sense to have a standardized process for doing this, so that you can be sure to keep track of it and retain it.

Silver

Then, looking at what this risk assessment report requires, Joe, and maybe this is a good place to wrap up, it really does highlight the importance of doing data mapping because so much of what you're required to know about your data processing activities just to know whether a risk assessment is required in the first place, and then what you're required to include in this report, is the type of stuff that you would be capturing in in data maps. Knowing what types of information you're collecting and what you're doing with it and what safeguards you have in place to mitigate some of the negative harms that could result from what you're doing with it- retention, data minimization, like all that type of stuff.

You could, on a case-by-case basis for specific activities, come to the conclusion that we need to do the risk assessment and pull the information together. But you are inevitably going to have gaps in your knowledge of what risk assessments are required if you don't have data mapping in place. Also, it's just going to be a much more onerous process to pull together all this information if you are not leveraging a data map and if you're having to go and first start figuring out who knows what and what third parties are involved. Doing this assessment, particularly, as we go forward, and it needs to be done on a continuous basis across a lot of different activities. It's going to become operationally very challenging to do if you're not working off of a pretty up-to-date data map.

Lazzarotti

It definitely makes a lot of sense. That's a good place to wrap up. This covers a lot of ground and is really helpful for certainly a requirement that's coming on a lot of organizations pretty quickly here.

Thanks for listening. If you have any questions or any ideas for topics we haven't covered, please email us at privacy@jacksonlewis.com.