The California Privacy Protection Agency (CPPA) has initiated enforcement of its automated decision-making regulations under the California Privacy Rights Act (CPRA). These regulations address algorithmic profiling, behavioral scoring and automated systems that make or inform decisions about consumers. As the CPPA begins audits, companies must update their compliance programs to reflect the new requirements.
The CPRA authorizes the CPPA to regulate automated decision-making technology. The regulations apply to businesses that use algorithms to evaluate personal characteristics, predict behavior, or determine eligibility for services. They impose new transparency, access and opt-out rights, along with risk assessment requirements. Now, businesses must disclose the use of automated decision-making, including the purpose of the system, the decision-making logic used, and the role of human oversight. On the consumer-side of the equation, individuals may, in response, opt-out of profiling in certain contexts, including significant decisions related to housing, employment, health, finance and public benefits. In an effort to foster increased transparency, businesses must also provide meaningful information about the logic involved in automated decisions, subject to trade secret protections. In addition, businesses must conduct and document algorithmic risk assessments that consider discrimination risks, data quality, intended use, and security controls.
As always, the CPPA continues to have broad investigative authority, including the ability to conduct audits without prior suspicion of a violation. Therefore, businesses that use automated systems without proper disclosures or risk assessments may face enforcement actions, penalties and mandatory remediation. As a result, it would be prudent for covered businesses to, at a minimum, update privacy notices with automated decision-making disclosures; conduct algorithmic risk assessments annually or before deployment; implement opt out mechanisms that are accessible and easy to use; review third party vendor contracts for ADM related obligations; and train internal teams on CPRA and ADM compliance requirements.
Automated decision-making rules represent one of the most significant expansions of California privacy law since the enactment of the CPRA. Therefore, businesses that update their processes now will be better positioned to avoid enforcement actions, avoid reputational damage, and maintain consumer trust.
