BACKGROUND – 27TH NOVEMBER, 2023 ADMT DRAFT (OLDER ONE)
The California Privacy Protection Agency (CPPA) unveiled its highly awaited draft regulations concerning the utilization of automated decision-making technology (ADMT) on November 27, 2023. Marking a significant development, these draft regulations provide a detailed framework for the oversight of ADMT and artificial intelligence (AI) by the CPPA. Spanning 17 pages, the draft regulations outline extensive responsibilities surrounding the implementation of ADMT.
Key Elements of the Draft Regulations:
The draft regulations predominantly revolve around a novel proposed framework governing the deployment of ADMT. This framework introduces three principal requirements:
- Pre-Use Notice Requirement: Businesses utilizing covered ADMT must furnish consumers with specific disclosures concerning the use of such technology. This requirement mirrors the “notice at collection” mandate delineated in the original CPRA regulations. It essentially resembles a public bias audit or risk assessment, akin to transparency obligations observed in analogous legislations such as New York City’s AI Bias law.
- Opt-Out Requirement: Establishing the provision for consumers to opt out of their personal information being processed using ADMT, this requirement parallels the Do Not Sell/Share opt-out provision delineated in the initial CPRA regulations. Under this mandate, businesses employing covered ADMT must enable consumers to opt out of its usage. Upon a consumer’s opt-out request, the business must cease processing their personal information through the ADMT within 15 business days and notify all subsequent recipients of the opt-out for compliance.
- Access Right Requirement: Businesses leveraging covered ADMT must afford consumers the opportunity to request comprehensive details regarding the business’s utilization of ADMT in processing their personal information. This access right mandate resembles the “right to know” provision outlined in the original CPRA regulations.
Scope of Application:
The ADMT framework applies exclusively to specific covered processing operations, necessitating the involvement of ADMT and meeting at least one of the following criteria:
- A decision yielding legal or similarly substantial consequences for a consumer.
- Profiling a consumer acting in roles such as an employee, independent contractor, job applicant, or student.
- Profiling a consumer within publicly accessible spaces.
- Profiling a consumer for behavioral advertising.
- Profiling a consumer under the age of 16, of which the business has actual knowledge.
- Processing consumer personal information to train ADMT.
Exceptions:
Section 7030(m) delineates crucial exceptions to the pre-use notice, opt-out, and access rights requirements. Businesses are exempt from providing consumers with pre-use notice, opt-out, or access rights if ADMT usage is essential solely for:
- Security measures to prevent, detect, and investigate security incidents.
- Fraud prevention against malicious, deceptive, fraudulent, or illegal actions.
- Ensuring the life and physical safety of consumers.
- Fulfilling specific consumer-requested goods or services where no reasonable alternative processing method exists.
Limited Obligations for Service Providers:
Under the draft regulations, service providers are only obligated to assist businesses in responding to verifiable consumer access requests. While other sections of the CPRA regulations impose specific duties on service providers, this section offers limited directives.
Special Provisions for Children Under 16:
The draft regulations also introduce special provisions concerning children under 16. Businesses profiling consumers under this age bracket must obtain opt-in consent, with consent from parents mandated for those under 13. Notably, this consent must be distinct from the verifiable parental consent stipulated under COPPA regulations.
UPDATED DRAFT REGULATIONS – 23RD FEBRUARY 2024 (CURRENT ONE)
The CPPA released its latest draft regulations concerning the utilization of AI and ADMT on February 23, 2024. This update marks a significant overhaul, aimed at reorganizing and clarifying the existing framework. The revised regulations now span 35 pages, consolidating ADMT and risk assessment obligations into a unified document. Noteworthy changes include the introduction of several new defined terms such as “behavioral advertising,” “deepfake,” “extensive profiling,” “physical identification or profiling,” and “systematic observation,” among others. The reorganization endeavors to align ADMT and risk assessment obligations more closely.
Key Amendments and Additions:
- Behavioral Advertising: The latest draft emphasizes the CPPA’s intent to regulate all forms of advertising, not limited to sales and shares. Businesses engaging in profiling for behavioral advertising purposes must adhere to both risk assessment and ADMT obligations, including honoring opt-outs. The definition of “behavioral advertising” encompasses targeted advertising based on a consumer’s personal information derived from their activities, excluding only non-personalized advertising like contextual advertising.
- Physical or Biological Identification or Profiling: New obligations are introduced for businesses employing “physical or biological identification or profiling.” Such entities must ensure that their processing methods do not discriminate against protected classes.
- Workplace and Security Exceptions: The updated regulations feature several new exceptions, with a focus on workplace and security-related concerns.
- Human Appeal Exception: A novel addition to the latest draft is the human appeal exception, enabling businesses to offer consumers the right to appeal decisions to a qualified human reviewer rather than providing an opt-out option.
Three Main Requirements: The draft regulations outline three core requirements under §7200:
- Pre-Use Notice: Businesses utilizing covered ADMT must furnish consumers with specific disclosures regarding its usage. This includes explanations of purpose, opt-out options, access rights, non-retaliation assurances, and details about ADMT functionality. Notably, notices must be prominently displayed before ADMT usage.
- Opt-Out: Consumers must be provided with the ability to opt out of their personal information being processed using ADMT. Businesses must cease processing within 15 business days upon opt-out and notify downstream recipients accordingly. Various aspects of the opt-out process, including the provision of alternative methods, responses to authorized agent requests, and exceptions, are delineated.
- Access: Businesses must facilitate consumer requests for detailed information regarding ADMT usage in processing their personal information. This includes specific purposes, outputs, methodologies, and non-retaliation assurances
Threshold Criteria: ADMT obligations apply when three conditions are met:
- Presence of ADMT: The technology involved must process personal information and utilize computation to execute decisions or significantly facilitate human decision-making.
- Utilization: ADMT must be employed for significant decisions concerning consumers, extensive profiling, or training purposes.
- No Complete Exception: ADMT must not fall under complete exceptions provided by California law.
Additional Provisions:
- Adverse Significant Decisions: Businesses making such decisions using ADMT must provide additional notice to consumers regarding their access rights within 15 days.
- Service Providers: Service providers must assist businesses in responding to verifiable consumer access requests under the ADMT obligations section.
- Children Under 16: The latest draft incorporates personal information relating to consumers under 16 as a category of sensitive personal information within the existing CPRA Regulations, removing express reference to them.
Summary of changes:
Supplementary materials:
In addition to releasing the 2023 Draft and 2024 Draft ADMT Regulations, the CPPA also published presentations for both documents.
Author:
Kosha Doshi, Final Year Student at Symbiosis Law School Pune & Legal Intern Data Privacy and Digital Law at EU Digital Partners
Kosha is also a co-author of “Facial Recognition at CrossRoads: Policy Perspectives on Disruption and Innovation,” at the Closing the Gap 2023 | Emerging and Disruptive Technologies: Regional Perspectives Conference in the Hague, Netherlands.