Colleen
We promised the viewers part two on the CCPA rulemaking. Right? I was on with Laura Fandruff a couple weeks ago talking about the cybersecurity updates and was hoping with you today, we could dive into the other two categories, ADMT and assessments. Can you break down for folks what is new in the latest rulemaking?
Alysa
So one, we don't have final rules yet. We are waiting for office of administrative law to approve it. That should come sometime this month. That is relevant as we just start thinking about effective dates. And so assume that's going to happen this month. Nothing shocking happens as part of that review. So then risk assessment obligations are effective January first, meaning for any new processing that you are doing, any new processing that you not an existing processing, not as easy as it may sound and making that distinction. You've gotta do the California regulation type of risk assessments. And so most companies, we've been doing DPIAs, PIAs, figure your acronym for some time. I think there is a difference here where if under these rules, ultimately, the CPPA auditor is going to be the audience. And so as you're thinking about your template and your process for identifying what is subject to one of these risk assessments, having that external audience, I think is a really important thing to factor in. They make the distinction between new processing and existing processing activities that ultimately will have a later submission date, but governance in having a really good category classification list of your processing activities In Europe, we had ROPAs, but ROPAs are not a requirement in the US. And so I think challenge one is making a distinction and getting your arms around what practices do we need to have in bucket A versus bucket B. And it may just be that as a practical matter, you know, all of what you've currently been doing assessments on and just assume that that is existing processing activities and then new business initiatives that are materially different that you've got your template ready to go, and you are already cataloging those as a new thing. So I think just putting some thought and attention to that is gonna be really helpful. You need to do a risk assessment if it poses a significant risk to the consumer's privacy. And And so California breaks it down by shocking selling or sharing personal information. We already know that from the other states processing sensitive data, also something we would consider for other states and just from a heat map, that's not going to be a higher risk activity anyway. And then three, are you using automated decision making to make a significant decision? That is where we bring in the ADMT as we start thinking about what do we need to consider now for ATMT and the risk assessments are a big part of that. And then finally, are you using personal information to train ADMT to make a significant decision? So those latter two are just really gonna be premised on ADMT, which means we don't have the luxury of time to get our arms around what business practices would necessitate that type of risk assessment. That's what in terms of scoping, ultimately these risk assessments need to be signed off by executive management. And so the who is going to be critical because that's really been left unsaid for the others. And I think most privacy teams have been filling those out and getting stakeholder input, but there's no owner. There's no affirmative business owner. Whereas you have skin in the game when you were an executive and you have to sign off on one of these risk assessments. And I think for a lot of companies really identifying and getting that person comfortable with signing off. And when you sign something under penalty of perjury, often you ask more questions. And so building in the time and the process to get folks comfortable with that, so it can be scalable. And then three, ultimately you're gonna be submitting these as we said. And so what are you submitting? A lot of companies have privileged legal advice as part of how they think through a risk assessment. And so the ultimate deliverable that is going to go to the CPPA being pretty intentional about does it meet all of the regulatory requirements and it is in a form that I can do that and I have my privilege legal advice separate, but I can reference it in efficient way. So those things are linked. So that is risk assessments.
Colleen
The executive approval is interesting to me. Does that change what people are putting in the risk assessment itself from an executive summary standpoint, or do folks need to think about actual new formats?
Alysa
Anytime you have a new audience who is going to be weighing in, you you always have to be thoughtful about that audience, both at what they understand and also for that person to be comfortable if they are signing, there's accountability there. They probably are going to ask different questions than you otherwise might already be running through. So doing even some early versions of these first before you roll it out more broadly so that you can start folding. What are you not expecting? What have you not accounted for that you get in terms of feedback there?
Colleen
Reminds me of, does the consumer understand the privacy policy and does the executive understand the risk assessment?
Alysa
Yes. Yes. That's a great way of putting it. Alright. So that was risk assessments, and then we have ADMT. And ADMT is one of those, I think question one, what would this apply to? Because for other states you had profiling that was always in the category of for significant, like, legal impacting type decisions. And so that was a really small bucket. But with California, it's not just consumers. You have employees that are in scope as a consumer, and you have businesses. So with that larger bucket of who CCPA applies to, I think who and how I'm using ADMT for significant decisions, I think it comes up a lot more. If you're making a significant decision, that means it's providing or denying in making a decision around financial lending, housing, education, employment, contracting opportunities, compensation related to that, health care services. And so usually the question I get is, oh, wait a second. Isn't a whole lot of that already exempted under FCRA or HIPAA if it's health care? And that's true. But if we think about California, it's not a broad exemption. It's, are you processing the personal information in a way that's directly regulated by those statutes? And if you think about ADMT and using information, there's a lot of adjacent new initiatives that the business is super creative and always coming forward with. And I think that presents some additional analysis on back to what's in scope and what's out. What are the business practices that it's maybe a gray area on whether it is regulated by FCRA, for example. And so thinking about how would you document your process for determining what it's applicable to and what it's not, and then starting to bucket in the things that are in scope. And honestly, I would do this by stakeholders. So I would spend some quality time with the HR side of things. I would spend quality time with data science. And depending on your industry vertical, you're going to pull in other stakeholders as a result of that. If you're an ed tech, for example, that is going to raise other considerations. So big right now, it's what's in scope and doing a lot of little legwork to get there. It doesn't apply to advertising. That was the big concession on that front, but there's a whole lot that is done with data in this aside from advertising back to data science and analytics that then have an access to a decision that it's gonna be really important to know. Compliance isn't, we we've got some time in the sense of it's not until January twenty twenty seven, but if you are in scope, we get into these obligations of it doing a pre use notice. And that notice, if you walk back, that notice is sometime in twenty twenty six and we're in fall twenty twenty five. And I know for a lot of companies, they roll out privacy notices maybe once or twice a year. And so putting in the time of what do I even have an obligation for a pre use notice and when would that go into the privacy policy and the publication? And so thinking through that, I think most companies, there's a number of exemptions within the rule on when you don't need to do, for example, the opportunity to opt out and choices around that. Do your practices fit within the exemptions, or are there changes you would like to make to better fit them within the exemption? So I think a lot of that analysis is what folks are gonna be working on over the next couple quarters at least.
Colleen
As you said, more to come, but it's great to have the practical tips to get started and get ahead of things. Another bit in the news recently was, of course, this multistate sweep focused on global privacy control. In case folks miss it, can you give us a sense of what to take away from that sweep?
Alysa
Sure. So we saw a number of press releases from the California Privacy Protection Agency, the California Attorney General's Office, Connecticut Attorney General's Office, Colorado Attorney General's Office, all focusing on global privacy control and whether companies were complying and recognizing a GPC signals and how they were addressing that. And it was part of their consortium. There's a longer list of states that are sharing notes and certainly working together. This was a smaller group, right? Just the states that I had mentioned. And while they all announced it simultaneously, they didn't send kinda one nice packaged letter to each of their targets. They each sent individual letters. And so I think for some companies that might have heard from more than one state, that's a lot of that's a lot of inquiries. And the questions are not necessarily all limited to global privacy control. Anytime you have a regulator looking at your practices, yes, they may have a priority issue. And so the bulk of the questions are really focused about that priority topic, but they need to have context where they might have a special other priority that is very state specific that they're probably also gonna be curious about and ask about. So I think even if you've never received a regulatory letter, we are at a time where there's just so many more of these going out. You have more states that are sending these out. And I think going through the process of, if I got one of these, what are the first things that I'm going to do so you don't lose on time? How am I going to account for that? What are the documents I have that I can pull? Where would I go to look? Just some of this hygiene homework that I think can really help companies prepare and make the most out of their time. That's really important. That was the sweep and that got a lot of attention as it should. But I will also say is we are not the only states that are starting new investigations on privacy compliance related topics. We have seen, for example, Minnesota, who has a law that's not been in effect all that long. Also starting to send out investigation letters on different aspects of their law. So I always think has a new law gone into effect? Are there nuances about that law that are a little different from other states? And I'm not complying with it for folks in that state and just go through the user experience to to double check on that. That's what it always seems to come back to. Put yourself in your consumer shoes and see how it feels.
Colleen
Well, thank you for the great practical insights as always. I would be remiss if we didn't wrap with talking about, dun, dun, dun, what we're so excited about, our October twenty third US privacy summit. It is right around the corner. October twenty third in San Francisco, first event of its kind. Registration's rolling in, and I think it's gonna be a fantastic day of just intimate conversations with regulators and practitioners in, frankly, an intimate setting where we don't get to experience these conversations very often. We've been teasing out the regulators joining us on LinkedIn. We have Mike Mako from the CPA, Stacy Schesser from the California AG's office, Chris Bufaris from the FTC. Alisa, I know you're the brain behind these fireside chats. What are the questions? Like, tease us a little bit on on the topics we're gonna hear.
Alysa
I can't put words in anyone's mouth, but I know I can put words in my mouth. And things that I'm always interested in are what's the time before there's an investigation, the time during the investigation, and then after the investigation, right? What's the significance? What do we take out of that? And then what is yet to come? It's always helpful to get a pulse at the moment on how a regulator is thinking about those. How are they thinking about investigation when they go to start one? What do they do? What's the homework? How do they test and looked before? And that really forms the basis of those letters and subpoenas that go out. Each state has its slightly different way that they may go about it. So I think shedding light on that is useful. And then in investigations, many folks have not had the pleasure yet of going through that experience, but what are ways that you can really help yourself? What are ways that can exacerbate and make it a lot more complicated and a lot more expensive and raise a lot more issues? I think to hear the regulator perspective on what they're seeing at that, on that side of the table is really helpful. And then what to take from these different enforcements, a headline of what the main topic was often gets all of the eyeballs, but really going through the complaint and the specific allegations and then the remedies and the injunctive terms, those tell some pretty important stories. How do you make the most of that? So that's part of what I hope to get into as well as their priorities going forward. What to look ahead, what the consortium is focusing on. But I am always open to feedback. So if there are topics folks would really love to get covered questions, I'm certainly happy to take in any comments on that front.
Colleen
Absolutely. Folks, we would love to crowdsource the best questions we can be asking in these fireside chats and panels. So drop in the comments what you'd like to hear from the regulators. And, of course, don't forget to register October twenty third in partnership with WISP, women in security and privacy. Alisa and I, Ketch Dry, we're thrilled to host this event, so we just can't wait. We've just dropped the agenda as well. So click on the link in the comments, and you'll see all the great sessions that we're gonna intersperse between these regulator chats. It should be a great one. I think that's it for today. Alisa, thanks for joining me as always, and we'll talk soon. Have a great
