United States of America: Published draft Risk Assessment Regulations

On 28 August 2023, the California Privacy Protection Agency (CPPA) released materials ahead of its 8 September 2023 board meeting, including draft Risk Assessment Regulations. The CPPA clarified that formal rulemaking processes for cybersecurity audits, risk assessments, and automated decision-making technology have not yet begun. These drafts aim to facilitate board discussions and public involvement. The draft Risk Assessment Regulations set out when business must conduct risk assessments regarding their processing of consumer personal data. The Regulations also set out minimum requirements for such risk assessments.