**Colleen:** Hi, Jenny. How are you?
**Jenny:** I'm great. Nice to be here. Thank you for inviting me.
**Colleen:** Yes. It's such a pleasure to have you. Love to have a new face on the privacy huddle every so often, and just thrilled you could join us. How's your Monday? How's your week starting off today?
**Jenny:** Good. I had a nice weekend out here. I'm in Northern California. Beautiful weather. So got outdoors a lot.
**Colleen:** Well, I suspect you're a familiar face to some folks. But in case you're not, to others, can you share a little bit about what you do?
**Jenny:** So I have founded about ten years ago a boutique law practice focused on privacy, tech, and IP. But I would say for the last several years, it's heavily weighted on privacy compliance. Most of my clients are privately held companies. And so I really help b to c, b to b get compliant with this ever increasing number of laws. Right? It really started in twenty eighteen with my b to b clients help us with GDPR, then CCPA. And now I think we have, as of twenty twenty five, sixteen laws. We've got some stand alone laws like Washington's consumer health, biometrics. We are not bored. That that's for sure. The other thing I'll just mention to give a shout out to the California Lawyers Association. I recently joined the executive committee of the privacy section. Great group of people. We do an amazing event every February called Privacy Summit down in Southern California. And this fall, we're doing a new event in Northern California, October tenth at Berkeley Law School. We've got the save the date, so registration coming soon. It's going to be focused on current practitioners that are in the space. And one of my focuses for the workshops that I'm working on designing is the CCPA regs, which we're gonna talk about today.
**Colleen:** Yeah. So let's dive in. I understand you've been following very closely the rulemaking leading up to the board meeting on May first, the CCPA board meeting. I'd love for you to give us the lowdown. What's the latest in California?
**Jenny:** A lot is happening, and I think the energy I see really focused on getting this over the finish line. As the board has said, these are policy decisions now that they're making, that they were mandated to draft and pass regulations. I think it's helpful to remember CCPA started in twenty eighteen. It was passed by the legislature. But then in California, we have this proposition system. We're not the only state, but we're well known for it. And proposition twenty four, also called the the CPRA, was basically amending CCPA. And so CPRA or proposition twenty four, the big things that it did was it created this new agency, the California Privacy Protection Agency, one of its kind in the US. No other state has this independent agency. And it also mandated that they draft and pass regulations on these topics that we're gonna talk about today, risk assessments, cybersecurity audits, and ADMT. Again, very new, especially in the US. So the statute was pretty thin. Right? So the staff started working on this twenty twenty two, twenty twenty three. They came up with some draft regulations for the board to discuss. I would say the end of twenty twenty three, there was a lot of discussion and, let's say, difference of opinions on the board about where these policy outcomes were. And that's where we are right now.
**Jenny:** I look at a lot of things on a spectrum. So I would put on one end of the spectrum the business interests. Businesses are going to feel the burden of this, right, because they are the ones being regulated. So there there's, again, a lot of of effort for them on that side. And on the other end of the policy spectrum, I put the consumer advocates and the labor interests. They could you could say they represent the benefits of this regulation, right? This is the purpose of the regulation is to give benefits to consumers. And let's remember, we are unique in California that consumers means not just, again, a b to c business consumer, but a b to b business and employees. Again, only state right now where our general consumer privacy law applies to employees. So that's the policy spectrum. And I would say my view is that when the draft regulations came out in twenty twenty three, they were pushing toward the consumer advocacy and labor side. And what we saw in the April fourth meeting and the May first meeting is pushing the other way. And the other thing to remember is in November of twenty twenty four, when the board voted four to one, there was one holdout, Alistair Metagher, that didn't vote to move it forward to public comment period. Probably the benefit by doing that is elicited a lot of comments. Of course, a lot from business, but also from consumer advocacy and labor. So the staff did an amazing job of wading through all of that. And what happened in the April fourth meeting is they teed up for the board. Here looks like the main issues that especially concerning to business, And here's your alternatives from a policy spectrum and vote on them. The interesting thing that happened at April fourth meeting was Alastair Metagard, who again had not voted to move it forward, seemed very concerned that these draft regs went too far, and he made a motion to actually suspend rulemaking. But he did back off of that because he was convinced, let's go through all of these issues that have been teed up, and let's see where we are because maybe we will have a narrower set of issues, and you won't feel like you need that motion. And that's kind of what happened in that meeting. There was a lot of consensus, and I think the wins for business right off the bat were no first party data. The whole new definition of behavioral advertising, gone. Okay? And there was a lot of pushback just on these definitions of what is ADMT, what is a significant decision. Because remember, if we narrow those definitions, then there's less companies that it applies to. So that's what happened in that meeting, and then the staff was supposed to go back and work and come back with something. And what they came back with the day before the meeting, that's been the way it's usually gone, is revised new draft regs pared down to the bone. It definitely pushed things much further toward business and their concerns because even in, like, cybersecurity audit regs that weren't really discussed at the April fourth meeting, they made a lot of changes, including removing zero trust architecture, lots of changes again to reflect, I think, businesses concerns make this more frictionless, make this easier to, again, implement in the beginning. So that's where I'd say we are on that policy side. Last thing I would just mention is what they decided in the May first meeting was they gave some feedback, but it wasn't as detailed as what happened April fourth meeting. They basically said to the staff, okay. Make some changes based on what we've just talked about. Let's have a thirty day comment period, come back sometime in July, and possibly vote to send it then to the stage of the OAL that does, like, the final review. So I think Phil Lair, the GC, said probably the earliest we could see them be final legally would be November.
**Colleen:** Got it. Interesting. Well, it sounds like it's largely trending in kind of a positive direction for the average business.
**Jenny:** I'm gonna be a little agnostic on that because I think it really depends where you are on the food chain, so to speak. For my privately held companies, I couldn't be more thrilled for them because they don't have most of them do not have in house counsel. And so to do, like, the cybersecurity audit, it's gonna be a really heavy lift. But I think it really depends, again, like, where you are in terms of size. In some ways, you could say if these regulations are so heavy, they're gonna benefit bigger companies because bigger companies already have the infrastructure. Right? What I think is positive, Colleen, is that for these initial regulations, let's make it simpler. And then let's see how they're working, and then we can change them. We can dial it up, dial it down, but let's get them out.
**Colleen:** Absolutely. Yes. I don't think you're gonna find anyone that would argue with that. Well, let's dive into some of these specific areas for audience who wasn't able to be in person at the board meeting like you were. What do they need to know when it comes to these specific rulemaking areas? Why don't we start with risk assessments?
**Jenny:** Yeah. So I think what's important, again, especially for businesses think of where we are right now, again, this could change, but where we are right now is the draft regulations are proposing quite a late date for having to have those risk assessments done. The date is December thirty first twenty twenty seven. So assuming we even get them final this year, that's like a two year ramp up period. Right? Quite a bit of time. The other requirement that I think business was concerned about was the reporting. Now this is what's unique about California. I wrote an article about this for IAPP on April second. It was called California legislators challenge independence of CCPA rulemaking authority. I look back at proposition twenty four, and what's really required? One of the things that's required in California is that businesses that are covered submit regularly their risk assessment. In Colorado, for example, that's the only other state that has regulations. But Colorado and other states that are due right now right now, I have to tell my clients, if we're in those statutes, you know, the thresholds, we need to be doing a risk assessment or impact assessment if we're doing high risk processing, but they don't require an actual submission. The way it works in Colorado, Virginia, Connecticut, those states, is upon request by the attorney general because the attorney general is the enforcing authority. We have two in California, remember. We have our attorney general in California, and we have the agency. So what California is doing by, again, December thirty first, if you have required to do a risk assessment, there's a very short form you're gonna have to fill out with information, like, obviously, the business, how many risk assessments, what categories of personal information are covered, but not any detail about the risks, the mitigation, some things that earlier drafts had. So you you will have to certify it by an officer of the company. So, again, something you gotta take seriously. You better not just fill it out if you haven't done it.
**Jenny:** One of the board members asked a good quest to the staff. Is this something that the business can do itself? And, again, that's where we get on that question of, like, where you are on the food chain. If you are a big company, you have in house counsel, you have privacy experts, sure, you probably have a good product review process. No problem. But on the other end of the spectrum, you're the small start up, but you meet the threshold either by revenue or the number of processing of records, then that's gonna be more of a challenge for you. So that's the timing. Now where they are right now with what is gonna be required, they pared down the application or the scope. So it's high risk processing. The six things that they still have are selling or sharing personal information. So, again, like, the staff reminded the board, even though behavioral advertising first party data, that's gone, that's gone for ADMT, still, if you're doing target advertising as defined by CCPA, you're gonna need to do a risk assessment. This is what I remind my clients. You should be doing it already if you're covered by Virginia or Colorado, but this is gonna be required in California. Second, you're processing sensitive personal information. Now there is one carve out if you are processing sensitive information for administering compensation payments, just determining and storing employment authorization. Those things, you don't need to do a risk assessment. But if you're like some of my clients, use facial recognition for, like, their ID process, yep. For your employees, you're gonna need to do a risk assessment. Third, using automated decision making technology for a significant decision concerning a consumer. Now what we'll see when we look at ADMT is it's been narrowed as far as the definition of ADMT and the definition of significant decision. So there's a lot of businesses that would have been in that that probably won't be now, but that's number three. Number four, profiling a consumer through systematic observation of that consumer when they are acting in their capacity as an educational program applicant, job applicant, student employee, independent contractor for business. So there's a lot about, again, education and employment is gonna be impacted. The independent contractor I don't wanna go too much on digression of this, but that April fourth meeting, there was a lot of commentary by Alastair reflecting the business comments from what he referred to as the gig economy. One of his quotes that that me was, we're not gonna kill the gig economy. That ship has sailed. But those independent contractors, so that's why that's covered. Fifth, profiling a consumer based in a sensitive location. That's a pairing down from just public, just, you know, any profiling in public. And then six, the processing, the personal information of consumers. This is the training of a ADMT. So we have those six areas that if you are you're gonna have to do the analysis to see whether you're doing any of those processing. A lot of b to c companies, no matter what their size, are doing target advertising. So I think, again, there's gonna be more companies that realize they're gonna have to go through the risk assessment process.
**Colleen:** Thank you for so clearly outlining that, Jenny. I think that helps to think about those six categories. I'd love to turn to the next topic, which is cybersecurity.
