In recent months, the California Privacy Protection Agency (“CPPA”) has taken significant strides towards regulating the use of automated decision-making technology (“ADMT”), marking a pivotal moment in the evolution of privacy protection laws. With the CPPA’s recent move toward formalizing proposed regulations regarding ADMT (see an overview of proposed rule revisions here), California once again positions itself at the forefront of creating regulatory regimes at the intersection of data privacy and consumer protection, and businesses would do well to monitor how eventual legislation is beginning to take shape.
At the heart of the CPPA’s deliberations lies a delicate balance between safeguarding consumer privacy rights and fostering innovation in businesses. As currently drafted, proposed regulations aim to provide clarity on the scope of ADMT’s usage and regulation, and to establish rules for its usage by businesses that will ensure transparency, accountability, and consumer choice, including notification of consumers subject to ADMT and providing consumers with the right to opt out of its usage (subject to certain exceptions). Other key updates to the proposed regulations include refined definitions to clarify the applicability of ADMT regulations, modifications to risk assessment requirements, and delineation of consumer rights regarding notification of the use of ADMT. The revisions aim to address concerns raised by stakeholders while maintaining robust protections for consumer privacy. Certain noteworthy changes in the proposed regulations include (among other items):
Challenges remain, however, particularly regarding the broad definition of ADMT and exceptions to opt-out rights (which can include exceptions for security concerns or fraud prevention, as well as for businesses adding certain methods of “appeal” to human reviewers).
Looking ahead, the next stage of the formal rulemaking process will involve soliciting additional stakeholder feedback, with revisions expected to address concerns and refine the proposed regulations. Businesses with operations or interests in California, which includes an ever-expanding universe of e-commerce businesses located around the world, are advised to stay informed about these developments as they navigate the evolving regulatory landscape.
On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA), making Maryland the 18th state to enact comprehensive privacy...
PAG Law has a rich history of advocating for founders and entrepreneurs.
Our commitment to excellence has driven numerous
successful outcomes in complex legal matters.