On November 27, 2023, the California Privacy Protection Agency (“CPPA”) released draft regulations on automated decisionmaking technology (the “Draft ADMT Regulations”).[1] The purpose of the Draft ADMT Regulations is to ensure that artificial intelligence (AI) and automated tools are deployed with privacy in mind.[2] However, the broad scope of key terms exceeds existing law anywhere in the world and would create a number of requirements, including mandatory opt-outs for certain uses such as behavioral advertising. If these regulations become law, they would be highly disruptive to many industries.
Timing: The release of the Draft ADMT Regulations is the first step in a process that could take at least 9-12 months, with the next step being the initiation of a formal rulemaking process in early 2024. Past rulemakings have provided multiple opportunities for the public—including individuals and companies—to provide feedback and comment. The CPPA is also likely to initiate formal rulemaking processes for risk assessments and cybersecurity audits very soon. The year 2024 is poised to be very busy and potentially impactful with significant implications for all companies that do business in or collect information from residents of California.
Scope: Definition and Covered Uses of ADMT
The Draft ADMT Regulations propose key definitions that are significantly broader than any other law or regulation, including the EU General Data Protection Regulation (“GDPR”).[3] For example:
- “Automated Decisionmaking Technology” means “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or ‘artificial intelligence’[4]—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.”[5] (Emphasis added.) Unlike with GDPR, these rules do not apply to decisions made solely using automated decisionmaking technology (“ADMT”), and they do not permit exceptions for human intervention.
- “Profiling” means “any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”[6] (Emphasis added.)
- Covered uses includes activities like a “decision that produces legal or similarly significant effects concerning a consumer”[7] (e.g., decisions to provide or deny employment opportunities), which is conceptually similar to GDPR and other privacy laws, but also includes more specific concepts like profiling a consumer while they are in a “publicly accessible place”[8] (e.g., profiling a consumer using Wi-Fi or Bluetooth tracking, geofencing, facial or speech recognition or detection), profiling a consumer for behavioral advertising, profiling a consumer that the business has actual knowledge is under the age of 16, and processing consumers’ personal information to train ADMT.
The Draft ADMT Regulations and the CPPA board meeting materials highlight some of these particular uses as specific topics for discussion by the CPPA Board at the December 8 meeting.[9]
Breadth: Requirements for Companies Using ADMT
The Draft ADMT Regulations propose establishing three requirements for businesses that use ADMT for covered uses: (1) pre-use notice, (2) opt-out rights, and (3) access rights. These bear superficial resemblance to similar requirements in laws like GDPR, but in combination with the proposed definitions above could have potentially significant and broader implications.
(1) Pre-Use Notice
A business must provide a “pre-use notice” before the business processes consumers’ personal information using ADMT, and must comply with Section 7003 (disclosure requirements) of the California Consumer Privacy Act (“CCPA”) regulations.[10] A pre-use notice must be provided in the manner in which the business primarily interacts with the consumer, and must include very specific content, such as the purpose for which the business proposes to use ADMT in a plain language explanation and a simple and easy-to-use method by which consumers can obtain “additional information”[11] about the business’s use of ADMT.
(2) Opt-Out Right
The Draft ADMT Regulations would provide consumers with the ability to opt-out of the business’s use of ADMT. This is broader than the CCPA’s general opt-out requirements that apply to sharing and selling of personal information, and it is potentially broader than GDPR’s right for a data subject “not to be subject to a decision based solely on automated processing.”[12]
If a consumer submits an opt-out request before the business has initiated processing, the business cannot initiate processing of the consumer’s personal information using ADMT. If a consumer submits an opt-out request after the business initiated the processing, upon receipt of an opt-out request, the business must (i) cease processing the consumer’s personal information using ADMT no later than 15 business days from receipt of the opt-out request, and (ii) notify all of the business’s service providers, contractors, or other persons to whom the business has disclosed or made personal information available to process the consumer’s personal information using that ADMT, that the consumer has made a request to opt-out, and instruct them to comply with the consumer’s request. Here, the Draft ADMT Regulations would import from GDPR a broadly interpreted “objection” right applicable to a broadly defined set of ADMT activities, rather than GDPR’s relatively focused approach to ADMT.
There are some exceptions to this opt-out right, but these are very narrowly drafted and there is an exception to these exceptions. For example, a business is not required to provide an opt-out right if the business’s use of ADMT complies with section 7002 of the CCPA regulations and its use of ADMT is “necessary to achieve, and is solely for,” certain specified purposes, such as security (to prevent, detect, and investigate security incidents directed at the business), fraud prevention (to resist malicious, deceptive, fraudulent, or illegal actions), safety (to protect the life and physical safety of consumers), or the provision of the goods or services specifically requested by the consumer (provided by that the business has no reasonable alternative method of processing). However, a business cannot rely on these exceptions if it is profiling a consumer for behavioral advertising.
Finally, the Draft ADMT Regulations would impose specific requirements on the methods of submitting and responding to requests to opt-out of ADMT, such as by requiring that businesses provide two or more designated methods for submitting opt-out requests, and requiring businesses to wait at least 12 months from the date of the receipt of the opt-out request before asking the consumer to consent to the business’ use of ADMT for which the consumer previously opted out.
(3) Access Right
Businesses must provide consumers with the right to access information about the use of ADMT. Specifically, businesses would be required to verify the consumer’s identity and provide the following information:
- The purpose for which the business used ADMT;
- Output of the ADMT with respect to the consumer;
- How the business used (or plans to use) the output to make a decision (including the decision that was made with respect to the consumer, other factors used, the role of any human involvement, and whether the use of ADMT was evaluated for validity, reliability, and fairness);
- How the ADMT worked, including its logic, the key parameters that affected the output, and how these parameters were applied to the consumer;
- A range of possible outputs (e.g., aggregate output statistics); and
- How a consumer can exercise their other CCPA rights (e.g., providing a link to that section of the privacy policy) and submit a complaint about the use of ADMT.
Separately, if a business has made a decision that results in the denial of goods or services that produces legal or similarly significant effects concerning a consumer (e.g., denying an employment opportunity or lowering compensation), the business would have to notify the consumer, in a method by which the business primarily interacts with that consumer, of the decision, the right to access and how to exercise that right, and how the individual can file a complaint with the CPPA and California Attorney General.
Similar to the opt-out right, a business would not be required to provide consumers with information if it would compromise its processing for the following purposes: (a) security, (b) fraud prevention, or (c) safety.
Interplay with Other Proposals: Risk Assessments on ADMT and AI
The Draft ADMT Regulations would work in tandem with the revised draft regulations on risk assessments (the “Revised Risk Assessment Regulations”),[13] which the CPPA Board will also be considering at the December 8, 2023 board meeting.
With respect to processing activities that require conducting a risk assessment, the Revised Risk Assessment Regulations provide that a risk assessment would need to be conducted when using ADMT in any of the following ways: (a) for a decision that produces legal or similarly significant effects concerning a consumer; (b) profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student; (c) profiling a consumer while they are in a publicly accessible place; or (d) profiling for behavioral advertising. It separately provides that a risk assessment would need to be conducted when consumers’ personal information is processed to “train”[14] ADMT or AI that may be used for certain activities, including those listed above, as well as establishing individual identity on the basis of biometric information, using facial, speech, or emotion detection, generation of deep fakes, and the operation of generative models, such as large language models. And under the rules that generally would apply to risk assessments, businesses would need to submit risk assessment materials, potentially including (1) a written certification of compliance; (2) an abridged version of the risk assessment, and (3) upon request by the CPPA, the unabridged risk assessment.
Next Steps: The Formal Rulemaking Process
The CPPA expects to begin formal rulemaking on ADMT regulations next year. In its only completed rulemaking thus far—amending the pre-existing CCPA regulations—the CPPA took about 9 months from the commencement of the formal rulemaking process until the final adoption of rules, and included multiple opportunities for the public to comment. Given the nature of the regulations being proposed for ADMT, as well as the combination of rulemakings on ADMT, risk assessments, and cybersecurity audits, it seems likely that the CPPA process would take at least as long as that initial rulemaking. That said, it remains to be seen exactly when the final regulations will be adopted. In the absence of federal privacy legislation, California’s regulations on ADMT and risk assessments, when finalized, may be the first sweeping AI regulation in the US, and it could far eclipse current requirements and many proposals under European law.
Click here to download this article.
[1] Draft Automated Decisionmaking Technology Regulations for California Privacy Protection Agency (CPPA) December 8, 2023 Board
Meeting, California Privacy Protection Agency (Nov. 2023), https://cppa.ca.gov/meetings/materials/20231208_item2_draft.pdf (“Draft
ADMT Regulations”). The CPPA also released the meeting materials for its December 8, 2023 board meeting, available at
https://cppa.ca.gov/meetings/materials/20231208.html.
[2] A New Landmark for Consumer Control Over Their Personal Information: CPPA Proposes Regulatory Framework for Automated Decisionmaking Technology, California Privacy Protection Agency (Nov. 27, 2023), https://cppa.ca.gov/announcements/2023/20231127.html.
[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
[4] The revised draft risk assessment regulations defines “Artificial Intelligence” as “an engineered or machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations, or decisions that influence physical or virtual environments. Artificial intelligence includes generative models, such as large language models, that can learn from inputs and create new outputs, such as text, images, audio, or video; and facial- or speech-recognition or -detection technology.” New Rules Subcommittee Revised Draft Risk Assessment Regulations for CPPA December 8, Board Meeting, California Privacy Protection Agency (Nov. 2023) https://cppa.ca.gov/meetings/materials/20231208_item2_draft_redline.pdf.
[5] Draft ADMT Regulations, Section 7001.
[6] Id.
[7] “Decision that produces legal or similarly significant effects concerning a consumer” means a decision that results in access to, or the provision or denial of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.
[8] “Publicly accessible place” means a place that is open to or serves the public. Examples of publicly accessible places include shopping malls, stores, restaurants, cafes, movie theaters, amusement parks, convention centers, stadiums, gymnasiums, hospitals, medical clinics or offices, transportation depots, transit, streets, or parks.
[9] Automated Decisionmaking Technology: Overview of Proposed Framework & Key Topics for Board Discussion for CPPA December 8, 2023 Board Meeting, California Privacy Protection Agency (Nov. 2023), https://cppa.ca.gov/meetings/materials/20231208_item2_presentation.pdf.
[10] Cal. Code Regs. Tit. 11, §§ 7001-7304.
[11] Additional information must include: (a) the logic used in ADMT, (b) the intended output of ADMT, (c) how the business plans to use the output to make a decision, including the role of any human involvement, and (d) whether the business’ use of ADMT has been evaluated for validity, reliability, and fairness, and the outcome of any such evaluation.
[12] GDPR, Art 22(1).
[13] New Rules Subcommittee Revised Draft Risk Assessment Regulations for CPPA December 8, 2023 Board Meeting, California Privacy Protection Agency (Nov. 2023), https://cppa.ca.gov/meetings/materials/20231208_item2_draft_redline.pdf.
[14] For purposes of this section, the revised draft defines “training” to mean teaching AI or ADMT to generate a desired output. Training includes determining or improving the parameters of the AI or ADMT to achieve the desired output.
