Last week, the California Privacy Protection Agency (CPPA) released draft automated decision-making technology (ADMT) regulations (guidelines). These proposed guidelines, which are currently open for public consultation, aim to establish a comprehensive framework governing the use of ADMT by businesses in an effort to provide consumers with greater control over their personal data.

The California Privacy Rights Act (CPRA) required the CPPA to issue regulations “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in those decision making processes, as well as a description of the likely outcome of the process with respect to the consumer.” The draft guidelines are not associated with any formal rulemaking process, but rather are “intended to facilitate Board discussion and public participation and is subject to change.” 

Implications for Businesses

The CPRA does not define ADMT, so the CPPA will need to define the technology for which it is regulating. The guidelines currently define ADMT as “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision making. Automated decision-making technology includes profiling.” This definition, including facilitating human decision making, would render the scope of technologies regulated as one of the broadest definitions that privacy laws in the United States and European Economic Area have seen thus far.

The guidelines propose that the regulations would be triggered in situations of decision making that produce “legal or similarly significant effects,” which includes decisions resulting in access to, or the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, and essential goods or services. 
For businesses, the draft guidelines underscore the importance of transparency, accountability, and risk management in ADMT deployment. Businesses must carefully evaluate their ADMT practices, including implementing appropriate privacy safeguards.

The Guidelines

The guidelines encompass a range of crucial aspects, including:

• Pre-Use Notices: Businesses will be mandated to provide consumers with clear and concise “pre-use notices” outlining their ADMT practices. These notices must inform individuals about the specific purposes for which ADMT is employed and their rights regarding opt-outs and access to information. The notices must go alongside existing privacy notice requirements under the CCPA/CPRA.
• Opt-Out Choices: Consumers will be granted the right to opt out of ADMT usage in certain circumstances, particularly when such decisions produce “legal or similarly significant effects” – such as impacting access to financial services, housing, employment, or healthcare. The opt-out choice offered by a business must be in the manner in which the business primarily interacts with consumers, must be easy for consumers to execute, would trigger a requirement to cease processing within a maximum of 15 days, or as soon as feasibly possible, and would require a business to notify service providers to effectuate the opt out.
• Consumer ADMT Information Access Rights: Consumers will have the right to request detailed information about a business’s ADMT practices, including the logic behind decision-making processes and the anticipated outcomes. This information should be readily accessible and presented in a clear and understandable manner.
• Consumers Under the Age of 16: For businesses utilizing ADMT in behavioral advertising, stringent consent requirements will apply. Parental consent will be mandatory for consumers under the age of 13, while a more nuanced consent process will be necessary for those between the ages of 13 and 16.
• Risk Assessment: The draft regulations are closely intertwined with the CPPA’s proposed risk-assessment framework, which outlines requirements for businesses to conduct comprehensive assessments of their ADMT usage to identify and mitigate potential privacy risks.

The CPPA is currently seeking public feedback on the draft regulations, encouraging individuals and organizations to share their perspectives through the agency’s online portal. The agency will review all comments and engage in further discussions before finalizing the regulations. The CPPA Board is scheduled to discuss the guidelines at its meeting on December 8, 2023, and formal rulemaking is expected to commence in 2024.

Joseph "Joe" Damon, Leslie Green, Jackson Parese, Marc Jenkins, and Jack Pringle contributed to this article.