CPPA Releases Proposed Regulatory Framework for Automated Decision-Making Technology

Jeremy Berkowitz, Hannah Edmonds
Paul Hastings LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Paul Hastings LLP

On November 27 2023, the California Privacy Protection Agency (“CPPA”) released the first draft of its automated decision-making (“ADMT”) rules (the “Draft Rules”) for those covered entities that must comply with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). This iteration of the Draft Rules is intended for discussion at the CPPA Board and will be open for public comments thereafter. The Draft Rules define ADMT as “any system, software, or process—including one derived from machine-learning, or other data-processing or artificial intelligence—that processes personal information and uses computation as a whole or part of a system to make or execute a decision or facilitate human decision-making.”

Proposed requirements for covered entities using ADMT

The Draft Rules propose requirements that covered entities must provide consumers with two or more designated methods for submitting requests to opt-out when they do any of the following activities:

  • Make decisions producing legal or similarly significant effects concerning consumers that may result in access to, provision or denial of: financial or lending services; housing; insurance; education; enrollment or opportunity; criminal justice; employment or independent contracting opportunities or compensation; healthcare service; or essential goods or services.
  • Profile consumers acting in their capacity as an employee, independent contractor, job applicant, or student. Such examples may include using:
    • Keystroke loggers
    • Productivity or attention monitors
    • Video or audio recording or live-streaming
    • Facial/speech recognition or detection
    • Automated emotion assessment
    • Location trackers
    • Speed trackers
    • Web-browsing, mobile-application, or social-media monitoring tools
  • Profile consumers while they are in publicly accessible places including using:
    • Wi-Fi or Bluetooth tracking
    • Radio frequency identification
    • Drones
    • Video or audio recording or live-streaming
    • Facial/speech recognition or detection
    • Automated emotion assessment
    • Geo-fencing
    • Location trackers
    • License-plate recognition

Additional activities that could potentially also require opt-out opportunities for consumers include:

  • profiling consumers for behavioral advertising;
  • profiling consumers that are known to be under 16 years old; and
  • processing consumer personal information to train automated decision-making technology.

Proposed requirements that would provide consumer protections

The Draft Rules also propose that covered entities draft Pre-use Notices containing a description of consumers’ rights to opt-out of the processing of their personal data by ADMT. This description should clearly state the scope of consumers’ rights to opt-out. If a covered entity is not required to provide consumers a right to opt-out because it relies on an exception to the requirement to do so (such as when a covered entity uses ADMT to protect the life and safety of consumers), the entity must inform consumers of that fact and identify the specific exception it is relying on.

The Draft Rules also propose that information on consumers’ rights to access information about covered entities’ use of ADMT in Pre-use Notices should include:

  • A description of consumers’ rights to access information about that use of ADMT with respect to those consumers for processing; and
  • A simple and easy-to-use method for consumers to obtain additional information about covered entities’ use of ADMT, such as a layered notice or hyperlink.

Next steps

As explained above, the Draft Rules are intended for the CPPA Board’s discussion and will be open for public comment at a yet-to-be-determined date. To prepare, covered entities that use ADMT should consider getting a head start on compliance by:

  • Determining all areas for which they use ADMT as described above.
  • Assessing their level of compliance with the Draft Rules so they are prepared to act when the Draft Rules are finalized.
  • Providing comments on the Draft Rules once the public comment period begins.

Other Key CPPA Board Updates

Additionally, the CPPA Board meeting scheduled for December 8, 2023 will discuss previously-released proposed regulations regarding cybersecurity audits and risk assessments. The proposed risk assessment regulations include language for CPPA Board consideration requiring covered entities to conduct risk assessments when processing consumers’ personal information presents significant risk to consumers’ privacy. The proposed cybersecurity audit requirement includes language for CPPA Board consideration requiring covered entities to perform cybersecurity audits. The CPPA Board will consider options for thresholds a covered entity must meet to be subject to the cybersecurity audit requirement.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Paul Hastings LLP | Attorney Advertising

Written by:

Paul Hastings LLP
Paul Hastings LLP
Contact
more
less

Paul Hastings LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide