Ahead of its December 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft “automated decisionmaking technology” (ADMT) regulations. The CPPA has yet to initiate the formal rulemaking process and has stated that it expects to begin formal rulemaking next year. Accordingly, the draft ADMT regulations are subject to change. Below are the key takeaways:
ADMT Definition: The draft regulations propose a broad definition of ADMT. Specifically, ADMT means “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.” The draft regulations also include “profiling” within the ADMT definition.
“Pre-use Notice”: The draft regulations propose adding a new section to the CPPA regulations that would require businesses using ADMT for certain activities (i.e., activities that would require a business to grant consumers opt out and access rights as described below) to provide consumers with a “Pre-use Notice.” The Pre-use Notice must inform consumers about the business’s use of ADMT and consumers’ rights to opt out of, and to access information about, the business’s use of ADMT. The Pre-use Notice must include:
- A plain language explanation of the purpose for which the business proposes to use the ADMT that avoids the use of generic terms (e.g., “to improve our services”);
- A description of the consumer’s right to opt-out of the business’s use of the ADMT for certain processing activities (described below);
- A description of the consumer’s right to access information about the business’s use of the ADMT for the same processing activities that require opt out rights and how the consumer can submit their access request; and
- A “simple and easy-to-use method” (e.g., a layered notice or hyperlink) by which the consumer can obtain additional information about the business’s use of the ADMT.
A business is not required to provide a Pre-use Notice if it is using the ADMT for certain exceptions (e.g., security, fraud prevention, safety, or to provide a requested good or service).
Requests to Opt Out of ADMT: The draft regulations would require a business to provide a consumer with a Pre-use Notice, as described above, and opt out rights for the following uses: (a) decisions that produce a legal or similarly significant effects concerning a consumer, (b) profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student, (c) profiling a consumer while they are in a publicly accessible place, (d) profiling a consumer for behavioral advertising, (e) profiling a consumer that the business has actual knowledge is under the age of 16, or (f) processing the personal information of consumer to train ADMT. The uses in (d)-(f) are marked as “additional options for board discussion.” Upon receiving an opt out request, a business must comply with the request by “ceasing to process the consumer’s personal information using that [ADMT].” The draft regulations explain that the opt out applies to information used or retained for the ADMT. The draft regulations specify that a business does not need to provide consumers with an opt out of ADMT if the business’s use of the ADMT complies with certain exceptions.
Requests to Access Information About ADMT: As mentioned above, for certain ADMT use cases, the draft regulations would require a business to provide consumers with certain information regarding the business’s use of ADMT. Unless an exception applies, the draft rules would require a business to provide the following information in response to a consumer’s access request:
- The purpose for using the ADMT;
- Output(s) of the ADMT with respect to the consumer;
- How the business used the output to make a decision with respect to the consumer;
- If the business plans to use the output to make a decision with respect to the consumer, the business’s explanation must include specification regarding the ADMT’s functions, including its logic, the key parameters that affected the output, and how these parameters were applied to the consumer.
- How the ADMT worked with respect to the consumer (i.e., how the logic, including its assumptions and limitations, was applied to the consumer and the key parameters that affected the output of the automated decisionmaking technology);
- A simple and easy-to-use method by which the consumer can obtain the range of possible outputs;
- Instructions for how the consumer can exercise their other CCPA rights; and
- The method by which the consumer can submit a complaint to the business about the business’s use of the ADMT.