Proposed California Regulations for Automated Decision-Making

The California Consumer Privacy Protection Agency (CPPA) issued draft rulemaking on automated decision-making technologies as part of its implementing regulations under the California Consumer Privacy Act (as revised, CCPA).

The CCPA directs the CPPA to issue regulations on “Automated Decision-making technology” (ADT).¹ Notably, in establishing regulations governing the use of ADT by businesses, the CPPA is imposing significant regulation on the use of artificial intelligence (AI). Specifically, the current draft ADT regulations, released November 27, 2023, define ADT as: any system, software or process—including one derived from machine-learning, statistics, or other data-processing or AI—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision making.² ADT also includes profiling, which is: “any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”³

Under the current draft ADT regulations, businesses would be required to provide a pre-use notice to consumers about the businesses’ use of ADT, the consumers right to opt out, and to access information about how the business uses ADT. This pre-use notice must:

• Be provided in the manner in which the business primarily interacts with the consumer, before the business processes the consumer’s personal information using ADT.
• Have a plain language explanation of the purpose of the use of ADT.
• Include a description of the consumer’s right to opt out and how the consumer may submit an opt-out request.
• Include a description of the consumer’s right to access information about the use of ADT with respect to the consumer.
• Feature a simple and easy-to-use method by which the consumer can obtain additional information about the business’s use of ADT, such as a layered notice or hyperlink.⁴

The draft ADT regulations would also require businesses to provide an option to opt out of the following uses of ADT:

• Making a decision that produces legal or similarly significant effects concerning a consumer.
• Profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant or student (like profiling employees using keystroke loggers).
• Profiling a consumer while they are in a publicly accessible place (like using Wi-Fi, Bluetooth tracking, drones or geolocation to profile consumers in public).
• Profiling a consumer for behavioral advertising (including opt-ins for consumers under 16).
• Profiling a consumer that the business has actual knowledge of is under the age of 16.
• Processing personal information of consumers to train ADT.⁵

The draft regulations include several exceptions to these opt-out rights, including where ADT is used for the prevention of security incidents, fraud or illegal actions, protecting consumer safety or in the event no reasonable alternative exists for processing.⁶

During the December meeting, the CPPA board noted concerns from both the public and board members over the broad definition of ADT as well as exceptions to ADT opt-out rights.

Ultimately, the Board decided that the draft ADT regulations are not ready for formal rulemaking and sent the draft back to the New CPRA Rules Subcommittee (Rules Subcommittee) for further revision.⁷ This extends an already long process for issuance of the final regulation, which requires the Board to vote to move to formal rulemaking; the staff to prepare a draft and conduct an economic analysis; the Board to issue the draft regulation; the public comment period to be opened; and then the Board to finalize or modify the rule based on response to public comment.

We will continue to monitor developments in this space as well as the CPPA public meetings. Please contact a member of Akin’s cybersecurity, privacy and data protection team to learn more about how these incoming regulations may affect your company.

^{1 Cal. Civ. Code § 1798.185(a)(16).}

^{2 Draft Automated Decisionmaking Technology Regulations § 7001.}

^{3 Id.}

^{4 Id. § 7017. This additional information must also include a description of whether the technology has been evaluated for reliability or fairness, and the outcome of such information.}

^{5 Id. § 7030.}

^{6 Id. § 7030 (m).}

^{7 Unlike other proposed regulations, the draft ADT regulations were submitted directly from the CPPA staff rather than the Rules Subcommittee.}