California Moves Closer to Regulations on Automated Decision-Making Technology

In recent months, the California Privacy Protection Agency (“CPPA”) has taken significant strides towards regulating the use of automated decision-making technology (“ADMT”), marking a pivotal moment in the evolution of privacy protection laws. With the CPPA’s recent move toward formalizing proposed regulations regarding ADMT (see an overview of proposed rule revisions here), California once again positions itself at the forefront of creating regulatory regimes at the intersection of data privacy and consumer protection, and businesses would do well to monitor how eventual legislation is beginning to take shape.

At the heart of the CPPA’s deliberations lies a delicate balance between safeguarding consumer privacy rights and fostering innovation in businesses. As currently drafted, proposed regulations aim to provide clarity on the scope of ADMT’s usage and regulation, and to establish rules for its usage by businesses that will ensure transparency, accountability, and consumer choice, including notification of consumers subject to ADMT and providing consumers with the right to opt out of its usage (subject to certain exceptions). Other key updates to the proposed regulations include refined definitions to clarify the applicability of ADMT regulations, modifications to risk assessment requirements, and delineation of consumer rights regarding notification of the use of ADMT. The revisions aim to address concerns raised by stakeholders while maintaining robust protections for consumer privacy. Certain noteworthy changes in the proposed regulations include (among other items):

‍

• Enhanced definitions to clarify the types of technologies considered to be ADMT (including technologies that “replace human decision-making, or substantially facilitate human decision-making.”)
  
  
• Revised risk assessment requirements, including thresholds for when businesses must conduct risk assessments and specifications for submission materials. These thresholds include when businesses sell or share personal information, process sensitive personal information, use ADMT for “significant decisions” (including those involving the provision of many education, employment, healthcare or other essential services), and when ADMT may be used to identify and exploit certain key individual elements (such as the use of identifying information in certain generative technologies).
  
  
• Imposition of requirements on businesses regarding pre-use notices, opt-out mechanisms, and consumer access to information about ADMT usage, including information regarding the parameters and logic used in ADMT.

‍

Challenges remain, however, particularly regarding the broad definition of ADMT and exceptions to opt-out rights (which can include exceptions for security concerns or fraud prevention, as well as for businesses adding certain methods of “appeal” to human reviewers).

Looking ahead, the next stage of the formal rulemaking process will involve soliciting additional stakeholder feedback, with revisions expected to address concerns and refine the proposed regulations. Businesses with operations or interests in California, which includes an ever-expanding universe of e-commerce businesses located around the world, are advised to stay informed about these developments as they navigate the evolving regulatory landscape.