At its March 8, 2024 meeting, the Board of the California Privacy Protection Agency (“CPPA”) moved, by a 3-2 vote, to advance proposed regulations addressing automated decision-making technology (“ADMT”) and risk assessments for the processing of personal information. Notably, the Board’s vote only allows staff to begin paperwork preliminary to a rulemaking; it did not actually initiate the formal rulemaking process. At the meeting, the CPPA Staff clarified that the Board will need to re-review the draft rules for ADMT, privacy risk assessments, and cyber audits and vote again to initiate the rulemaking process. The CPPA’s General Counsel Philip Laird said he expects the Board will vote to begin the formal rulemaking process for all three topics in July 2024, at the earliest. Once formal rulemaking begins, the Board has one year to finalize the regulations, per California’s Administrative Procedure Act.
The draft rules would require businesses to notify consumers prior to using ADMT, establish consumer opt out and access rights when businesses use ADMT, and require businesses to complete risk assessments when processing personal information in certain contexts, including when training ADMT or AI. Board members disagreed about the appropriate scope of the regulations, including on the scope of the ADMT requirements.
Laird estimated that the Board has already received between two to three thousand pages of comments. To receive additional input and promote public engagement, the CPPA plans to take the proposed regulations on a “roadshow” across California prior to the next meeting. You can find more information about the CPPA’s draft ADMT regulations in our blog post here, and a summary of proposals to regulate AI by state legislatures in the past year in our blog post here.