The California Privacy Protection Agency recently reviewed draft regulations addressing cybersecurity audits and privacy assessments that, if adopted, could significantly impact the development of artificial intelligence products. The proposed regulations would require many businesses already subject to the California Consumer Privacy Act (CCPA) to conduct new, independent audits of their cybersecurity programs and to implement privacy safeguards prior to their use of data that includes personal information to train artificial intelligence.
Data, privacy & cybersecurity associate Jessica Grischkan noted in an article for Law360 that the audit would require board-level involvement along with documentation of specific cybersecurity controls, ranging from account management and unique passwords to record retention, which could create a baseline expectations for the agency as to the “reasonable security procedures and practices” required under the CCPA and other statutes. The draft regulations also propose broad definitions of “artificial intelligence” and “automated decision-making” that could bring into their scope a wide variety of products. Prior to training artificial intelligence, businesses could be required to conduct detailed risk assessments and documentation of safeguards in place to protect the privacy of personal information.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.