State Actions

• California Regulatory Activity Continues to Heat Up: August was an active month for California regulators, who issued draft regulations, announced an enforcement probe and launched an online consumer complaint portal:

• Cybersecurity Audits & Risk Assessment Draft Rulemaking: In advance of its Sept. 8 Board meeting, the California Privacy Protection Agency (CPPA) issued draft regulations on Risk Assessments and Cybersecurity Audits. The drafts expressly state that they are intended “to facilitate Board discussion and public participation” and are “subject to change.” Nonetheless, the drafts provided insight into how the Agency will address audits and assessments. For example, the Risk Assessment draft proposal requires businesses to conduct risk assessments where processing of consumer personal information “presents a significant risk to consumer privacy,” and identifies seven instances in which a risk assessment would be required, to include the selling/sharing of personal information and for automated decision making or to train artificial intelligence models.
• California Auto Enforcement Probe: The CPPA also announced its intent to probe how automotive companies are complying with the California Consumer Privacy Act, as amended by the California Consumer Privacy Rights Act (“CCPA”). In announcing the enforcement probe, Ashkan Soltani, CCPA’s Executive Director, said “Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.” For further analysis of the enforcement probe, check out Clark Hill’s Client Alert.
• California Consumer Complaint Portal Now Live: The California Privacy Protection Agency launched its Consumer Complaint Portal and related FAQs for consumers to direct their privacy-related complaints and suspected violations of the California Consumer Protection Act (CCPA).
• California Delete Act Passes Assembly: The California Delete Act, CA SB 362, unanimously passed the State Assembly, and full enactment of the law is expected soon. Among other things, CA SB 362 would require data brokers to respect a “universal opt-out request” for any California resident. It would create a “one-stop shop” for asserting rights over hundreds of entities that collect, aggregate and resell consumer personal information.

• New York Unveils Statewide Cybersecurity Strategy: On August 9, GovernorKathy Hochul announced New York’s first-ever statewide cybersecurity strategy to protect the state’s digital infrastructure from cyber threats. The cybersecurity strategy articulates a set of high-level objectives and agency roles and responsibilities, as well as outlines how existing and planned initiatives will be woven together in a unified approach. The plan’s commitment to improve cybersecurity, includes a $90 million investment for cybersecurity in Fiscal Year 2024; $500 million to enhance healthcare information technology; and $7.4 million for law enforcement entities to expand their cybercrime capabilities.

• New York Bill on Electronic Monitoring and Automated Employment Decision Tools Introduced: New York Employers could face new restrictions on the electronic surveillance of workers and the growing use of automated decision-making and artificial intelligence (AI) technology to make employment decisions. Senate Bill (S) 07623 regulates so called “bossware,” prohibits “automated employment decision tools” that are used to “substantially assist or replace discretionary decision making” unless such tools are subjected to a bias audit “no more than one year prior to the use of such tool” for which a summary of results are made publicly available on the website of the employer or employment agency. Employers would also be prohibited from relying solely on an output from an AEDT “when making hiring, promotion, termination, disciplinary, or compensation decisions.”