CPPA Takes on Automated Decisionmaking Technology
The Board of the California Privacy Protection Agency (CPPA) met on December 8, 2023, with the primary purpose of discussing new proposed regulations that can affect businesses across the globe. The regulations covered three main areas: risk assessments, cybersecurity audits, and automated decisionmaking technology (ADMT).
While all of these regulations will likely have a profound impact on future compliance with the state’s landmark privacy legislation, the California Consumer Privacy Act (CCPA), the proposed rules on ADMT have generated particular interest because they go much farther than many were expecting.
Here we'll explore what that means.
Background
The CPPA was created when state voters approved the California Privacy Rights Act in 2020, which also gave the Agency broad rule-making authority. The legislation identified several areas of compliance for which the CPPA must adopt regulations. One of these areas is “automated decisionmaking, including profiling,” for which regulations must define consumers’ access and opt-out rights.
With little in the way of specific guidance from the statute, the CPPA has a lot of leeway to create its own rules. On top of this, the CCPA’s exemption for employee data expired at the beginning of 2023, meaning the Agency has to consider workplace privacy as well.
The Current Proposal
The proposed ADMT regulations essentially open up an entire new area of CCPA compliance, so there is a lot information to take in. Here are the essential details.
Definitions
There are two definitions that are key to understanding the breadth of the proposed regulations: “automated decisionmaking technology” and “profiling.”
Automated decisionmaking technology
Any system, software, or process that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking. Automated decisionmaking technology includes profiling.
Profiling
Any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Both of these definitions are very open-ended. For example, a definition of ADMT as “any software that uses computation as part of a system to facilitate human decisionmaking” has lead some to speculate that a spreadsheet could be considered ADMT.
When the Rules Apply
The broadness of these definitions is somewhat trimmed back elsewhere in the regulations. That is mostly because compliance obligations would only be imposed on businesses when they use ADMT for certain purposes. These purposes are:
- For a decision that produces legal or similarly significant effects concerning a consumer
- Profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student
- Profiling a consumer while they are in a publicly accessible place
- Profiling a consumer for behavioral advertising
- Profiling a consumer that the business has actual knowledge is under the age of 16
- Processing the personal information of consumers to train ADMT
Requirements for Businesses Using ADMT
If ADMT is used for any of the purposes listed above, it would trigger significant compliance obligations:
- Risk Assessments - The use of ADMT would be considered a high-risk activity, which means businesses would have to complete risk assessments for the processing. The Agency is still considering regulations for what these assessments will look like, but they are likely to go beyond what is required in other states with privacy legislation.
- Pre-Use Notice - Businesses will have to provide a substantial privacy notice specific to their use of ADMT. Among other information, the pre-use notices must include:
-
- The logic of the ADMT
- Its intended output
- How the business plans to use the output to make a decision
- Whether the ADMT has been been evaluated for validity, reliability, and fairness
- Opt-Out Rights - If a consumer opts out, the business must cease processing their personal information with that ADMT, as well as delete the relevant personal information. There are exceptions to the opt-out right if the ADMT is used for:
- Security
- Fraud prevention
- Safety
- To provide a requested good or service (with limitations)
- Access Rights - Upon request, businesses must provide consumers with detailed information about the ADMT, including:
- The business’s purpose for using the ADMT
- The output of the ADMT for that specific consumer
- The range of possible outputs
- Any decision made using the ADMT
- How the ADMT worked in this particular case
- How the consumer can exercise their CCPA rights and make a complaint to the CPPA
What Happens Next?
The proposed regulations are far from finalized. First, the CPPA Board would have to approve the language, then open them up to public comment, possibly make changes based on feedback, and ultimately send the proposed rules for approval by the Office of Administrative Law. The Agency also has yet to prepare an economic impact assessment, which is a requirement for new regulations. Even if the proposed rules were to undergo no changes and progress at a quick pace, they probably wouldn’t be in force until at least 2025.
However, there is reason to think that there will be significant revisions to the ADMT rules before they move forward. Several of the Board members pushed back against the draft language for being overbroad, especially with regard to the rules for profiling employees. As one Board member put it, “The CCPA is a privacy law, not an HR law.” A new version of the rules will be prepared with input from individual Board members, and should be presented at the next meeting. The next round of changes should provide insight into the Agency’s thinking on the matter.
Privacy Compliance Made Simple
Privacy continues to be a major political issue, and the laws in this area are likely to be in constant flux as regulators react to new developments. That may be a good thing for consumers, but it makes compliance much more complicated for businesses. This is especially true for small and medium-sized businesses that may not have in-house privacy experts.
TrueVault brings privacy compliance within the reach of businesses of all sizes. Our automated software guides you through every step of onboarding, similar to the process of doing your taxes online. In as little as a few hours, you can create your business’s data map, post your required privacy notices, and be ready to respond to consumer requests. Even better, as new privacy laws are passed and regulations are updated (as in California), the changes are incorporated into your Privacy Center at no extra cost!
To view a demo of how TrueVault works, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get compliant today
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo