CPPA releases draft rules for automated decision-making technology
On November 27, the California Privacy Protection Agency released its initial rulemaking draft for automated decision-making technology (ADMT). The release of these draft rules puts California at the forefront of state-level artificial intelligence (AI) regulation at a time when regulators are scrambling to address the societal risks relating to this technology.
The draft rules focus on two key areas: a business’s notice requirements regarding use of ADMT, and enforcement of two new consumer rights – the right to opt out of ADMT processing and the right to access information about the business’s use of ADMT.
While the release of these draft rules is a significant milestone for the Agency, formal rulemaking on this topic is not expected to start until early 2024, which would mean businesses would not be required to comply with the requirements until 2025 (per a California Superior Court ruling this summer holding that the Agency cannot enforce new regulations until one year after they have been finalized).
New: Pre-use Notice
The draft rules would require businesses to provide a new “just-in-time” style privacy notice, which the rules call a “Pre-use Notice.” As the name suggests, the Pre-use Notice must be made available to consumers before a business processes their personal information using ADMT. For example, this would require businesses that use ADMT-powered facial recognition or surveillance tools in public spaces such as shopping malls to post a Pre-use Notice via a QR code or other easily accessible link.
As with the California Consumer Privacy Act’s (CCPA) “notice at collection,” the presumed purpose of this Pre-use Notice is to provide consumers with sufficient information and options to control the use of their personal information before it is processed by a business.
The Pre-use Notice would need to contain certain disclosures, including:
- The purpose(s) for which the business uses ADMT
- An explanation of the rights to opt out of, and to access information about, the business’ use of ADMT, and how consumers may exercise these rights
- A simple method (eg, a hyperlink) through which consumers may learn more about the business’s ADMT use (such as an explanation about the logic used and the intended output).
When ADMT rights would apply
Under the draft rules, businesses would be required to provide consumers the right to opt out of, and access information relating to, their use of ADMT in the following use cases:
- Decisions that produce legal or similarly significant effects concerning a consumer (mirroring other state privacy laws and regulations discussing ADMT and profiling)
- Profiling employees, independent contractors, job applicants, or students (eg, via the use of keystroke loggers and other monitoring tools)
- Profiling consumers in publicly accessible places (eg, via facial recognition, video surveillance, geofencing, or location tracking).
The draft leaves open for CPPA board discussion other use cases that may trigger these rights, such as profiling consumers for behavioral advertising purposes, profiling consumers under 16, and processing personal information to train ADMT models.
Operationalizing ADMT rights
The draft rules contain operational requirements that should already be familiar to businesses with CCPA privacy rights request programs and processes in place. These include the requirements to provide at least two methods to intake requests, verify consumers’ identities (except for opt-outs related to profiling for behavioral advertising), and allow consumers to delegate their rights to an agent).
However, the draft rules also introduce new requirements that will require updates to a company’s privacy rights request handling process, such as an obligation to provide a means by which the consumer can confirm the business has processed an opt-out request.
Under the draft rules, businesses would be able to take advantage of certain exceptions to the requirements to provide the additional rights and the Pre-use Notice, depending on how the business uses ADMT. These exceptions would apply where the use of ADMT by the business is necessary for the following purposes:
- To prevent, detect, and investigate security incidents that impact personal information (ie, data breaches)
- To combat illegal or malicious activity directed at the business
- To protect a consumer’s life and physical safety or
- To provide goods or services a consumer specifically requests (provided the business is unable to provide a reasonable alternative method of processing that does not use ADMT).
The Agency is expected to discuss the draft rules at the next board meeting on December 8, 2023, with formal rulemaking likely to commence in early 2024. Given the Agency’s previous rulemaking timelines (including a mandatory 45-day public comment period), we may not see finalized ADMT rules until late summer 2024.
To find out more about the implications of the draft rulemaking for your business, please contact any of the authors.
American Hospital Association sues HHS over HIPAA online tracking technology bulletin
15 November 2023 .9 minute read