The California Privacy Protection Agency (CPPA) released its draft regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently regulated by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”).
The proposed regulations generally require comprehensive disclosures and opt-out provisions for California consumers and employees regarding the use of ADMT.
The proposal defines ADMT broadly to include AI and systems that process personal information (PI), which humans use to assist in decision-making. Notably, ADMT’s definition includes “profiling,” which refers to inference-making systems often used to assess employee job performance and/or consumer location.
The draft imposes three key requirements for businesses covered by the CCPA:
1. Provide pre-use notice about the use of ADMT.
2. Provide an opt-out mechanism for the use of ADMT to process personal information.
3. Provide a method for requesting access to specified information about how ADMT is used.
One important, but limited, exception allows businesses to forgo an opt-out right if the ADMT is necessary to provide the good or perform the service specifically requested by the consumer, if there is no reasonable alternative processing method and the business is not profiling for behavioral advertising use.
This framework is still an initial recommendation and is subject to change. However, businesses subject to CCPA should be aware of the impact it may have on their business and how they can comply with the regulatory requirements. For example, companies using AI to categorize employee performance or consumers for targeted advertising should be apprised of these developments. The CPPA will discuss the proposal on December 8, with the formal rulemaking process beginning in early 2024.