On November 27, 2023, the California Privacy Protection Agency (the “Agency”) published its draft Regulations for Automated Decision Making Technology (“ADMT”), as well as a revised draft for Risk Assessment Regulations, ahead of its December 8, 2023 public meeting. Of note, the Agency has yet to start the formal rulemaking process. The publication of these regulations is intended to facilitate discussion and public participation, which in turn means implementation of such regulations are still some time away.
The published regulations would require businesses to provide consumers with the following:
- A pre-use notice of the business’s use of ADMT;
- The ability to opt out of the business’s use of ADMT; and
- The ability to access certain information regarding the business’s use of ADMT.
Scope of Regulations (Spoiler alert: it’s broad)
ADMT is defined broadly, capturing acts that are not solely automated. ADMT is defined as “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making”. This last portion, “facilitate human decision-making,” implies the expansive nature of activities that will fall within this definition since it covers certain systems that support human activity and thus are not fully automated. Further, ADMT includes Profiling (as defined below), which would have immediate consequences for certain actions taken in the employment context (as discussed below).
As for “Profiling,” it means any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person. In particular, such processing would include any to analysis or prediction of aspects concerning the natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Importantly, the regulations propose special rules related to the Profiling of minors (under the age of 16) for behavioral advertising.
For businesses that use AMDT, the draft regulations would require them to provide consumers with a pre-use notice. The notice must inform consumers about the business’s use of AMDT and the consumer’s right to access information about, and opt-out of certain of, the business’s use of AMDT. In line with CCPA, the pre-use notice must give a plain language explanation of the business’s purposes for which AMDT is used, and the purpose may not be described in generic terms such as “to improve our services”. Additionally, the business must provide a simple and easy-to-use method (e.g., a hyperlink) that provides the consumer with the ability to obtain additional information, including information regarding:
(a) How the business plans to use the output to make a decision with respect to the consumer;
(b) Any factors other than the output the business plans to use to make a decision;
(c) The role of any human involvement in the business’s use of the automated decision-making technology; and
(d) Whether the business’s use of the automated decision-making technology has been evaluated for validity, reliability, fairness, and the outcome of any such evaluation.
Right to Access
Under the proposed regulations, consumers can inquire about the purposes of AMDT and the processes for making decisions about them. Businesses must disclose information about the logic and the possible range of outcomes behind the AMDT, in addition to how human decision-making influenced the final outcome. The business must also notify the consumer of their right to file a complaint with the CPPA and provide links to the complaint forms.
A business shall provide consumers with the right to opt-out of AMDT (i) for “a decision that produces legal or similarly significant effects” concerning a consumer; (ii) in the employment context (as discussed below); and (iii) in a publicly accessible place. A “decision that produces legal or similarly significant effects concerning a consumer means a decision that results in access to, or the provision or denial of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.”
In the employment context (which includes independent contractors, job applicants, and/or students), AMDT includes profiling an employee using keystroke loggers, productivity or attention monitors, video or audio recording, live streaming, facial or speech recognition or detection, automated emotion assessment, location trackers, speed trackers, web-browsing, mobile-applications, or social-media monitoring tools. In turn, this would require the business to provide the employee with the ability to opt-out of such AMDT.
Additionally, consumers may opt-out of the use of AMDT (including Profiling) when a consumer is in a public accessible place using Wi-Fi or Bluetooth tracking, radio frequency identification, video or audio recording, or live-streaming, facial or speech recognition or detection, automated emotion assessment, geofencing, location trackers, or license-plate recognition.
A business, however, would not be required to provide opt-out rights in certain situations, including for preventing security incidents, protecting life and physical safety of consumers, resisting fraudulent actions directed at the business, providing a specifically requested good or service where the business has no reasonable alternative method of processing.
Before a business uses an AMDT for any of the following purposes, the business must also conduct a risk assessment:
(a) For a decision that produces legal or similarly significant effects concerning a consumer;
(b) Profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student;
(c) Profiling a consumer while they are in a publicly accessible place; or
(d) Profiling for behavioral advertising.
A certificate of compliance must be submitted to the Agency within a certain timeframe (which has not yet been defined). Additionally, upon request, a business must provide the Agency with a risk assessment within five (5) days of such request.
Please reach out to us if you need any assistance in implementing opt-out mechanisms, updating your privacy policies, or have other privacy concerns related to your business.