New Draft Regulations on ADMT Published by California’s CPPA

On November 27, 2023, the California Privacy Protection Agency (CPPA) published “Draft Automated Decisionmaking Technology Regulations” which, according to the official announcement on the Agency’s website, “defines important new protections related to businesses’ use of these technologies, [...] can provide consumers with control over their personal information while ensuring that automated decisionmaking technologies, including those made from artificial intelligence, are used with privacy in mind and in design,” and, if passed, “would implement consumers’ right to opt out of, and access information about, businesses’ uses of ADMT, as provided for by the California Consumer Privacy Act (CCPA).”

The draft regulations offer a definition for ‘automated decisionmaking technology’ which is to be understood as “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking. Automated decisionmaking technology includes profiling.” 

Also, the regulations define profiling as “any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

For businesses that use ADMT, a new requirement would be added, to provide a “Notice of Rights to Opt-Out of, and Access Information About, the Business’s Use of Automated Decisionmaking Technology,” also called a “Pre-use Notice,” which would have to be provided to data subjects prior to the processing of their personal data via the use of ADMT and would have to provide sufficient information as well as options to consumers who could then have control of their personal data before its being processed by a business. 

In addition to this, the pre-use notice would have to disclose several things, such as the purpose(s) for a business’ use of ADMT; an explanation of a consumer’s right to access information about a business’ use of ADMT and the right opt out of this, as well as a description of the way consumers can exercise these rights; or “a simple and easy-to-use method (e.g., a layered notice or hyperlink) by which the consumer can obtain additional information about the business’s use of the automated decisionmaking technology.”

Consumers have to be granted the right to opt out of ADMT in the following cases: 

• “For decisions that tend to have the most significant impacts on consumers' lives. This would include, for example, decisions about their employment or compensation.
• Profiling an employee, contractor, applicant, or student. This would include, for example, using a keystroke logger to analyze their performance, and tracking their location.
• Profiling consumers in publicly accessible places, such as shopping malls, medical offices, and stadiums. This would include, for example, using facial-recognition technology or automated emotion assessment to analyze consumers’ behavior.
• Profiling a consumer for behavioral advertising. This would include, for example, evaluating consumers’ personal preferences and interests to display advertisements to them.”

The exception to this is when one of the following situations applies where a business uses ADMT for the following purposes, in which case the opt-out request can be refused: 

• “To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information;
• To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions;
• To protect the life and physical safety of consumers; or
• To provide the good or perform the service specifically requested by the consumer.”

Where an opt-out request is valid and has to be honored, this has to be made available through two or more designated methods and at least one of these methods has to “reflect the manner in which the business primarily interacts with the consumer.” Examples include but are not limited to an interactive form, an in-person method, a toll-free number, a designated email address, etc. The CPPA’s next Board meeting, scheduled for today, December 8, 2023, will discuss these new draft regulations and it remains to be seen whether they will become law or will first suffer further modifications.