On December 8, 2023, the California Privacy Protection Agency (CPPA) Board discussed a draft of its forthcoming artificial intelligence (AI) regulations on automated decision making technology (ADMT). The proposed regulations, published earlier on November 27, 2023, would impose significant new requirements on businesses subject to the California Consumer Privacy Act (CCPA) that use ADMT for certain use cases. The ADMT draft rules are expected to be part of the Agency’s larger rulemaking package alongside rules governing cybersecurity audits and risk assessments under the CCPA, as amended by the California Privacy Rights Act. While the draft ADMT regulations currently have no legal effect and are likely to undergo further revision before formal rulemaking begins, the current draft nonetheless provides an important preview of the rigorous new compliance requirements that could later take effect. Notable items put forth for public discussion include:
- Requiring businesses to provide enhanced notice, opt-out, and access rights to California residents when the business uses ADMT for any of the following purposes: 1) “for decisions that produce legal or similarly significant effects”; 2) to profile individuals in their capacity as a worker, job applicant, or student; 3) to profile individuals “in a publicly accessible place”; 4) to profile consumers for “behavioral advertising”; 5) to profile consumers known to be under 16 years old for any purpose; and 6) to process consumer’s personal information to train ADMT (collectively, a “covered purpose”).
- Before using ADMT for a covered purpose, requiring businesses to provide California residents with a “pre-use notice” informing residents of their rights to opt out (subject to certain exceptions) and access information about the business’s use of ADMT. Businesses would also be required to provide a link to “plain language” explanations of the ADMT’s logic, including its key parameters, and whether the organization’s use of the ADMT has been evaluated for “validity, reliability, and fairness,” and the outcome of any such evaluation.
- Requiring businesses to provide at least two methods for submitting ADMT opt-out requests. Those methods would have to consider ease of use, including how the business interacts with its consumers. Notably, cookie consent banners by themselves would not suffice.
- Imposing an affirmative obligation on businesses to provide notice to California residents when certain adverse actions are taken using ADMT. Relatedly, consumers would also have the right to access, among other things, a “plain language” explanation of how the ADMT worked with respect to him or her.
An analysis of the posted draft and accompanying Board discussion is provided below.
- Two-Prong Test: The draft contemplates two threshold questions for businesses covered under the CCPA to consider. First, is the business making use of an “automated decision making technology”? Second, assuming so, is the use of that ADMT for a covered use? Businesses would need to analyze both, as detailed below.
- Expansive Definition of ADMT: Consistent with the Agency’s previously published “conceptual language” on this topic, the proposal broadly defines “automated decision making technology” to cover “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.” Read broadly, this definition could encompass a sweeping number of common technologies that support human decision making and that are not fully automated (e.g., ordinary data analysis tools like Microsoft Excel). As a result, Board members disagreed whether this definition is so broad as to capture all types of software. In addition, ADMT is defined more broadly than profiling is defined in other state privacy laws, like the Colorado Privacy Act.
- Broader Definitions: The draft includes key definitions with some significant expansions and distinctions
- Profiling: The draft definition of ADMT explicitly includes “profiling” (defined as “any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements” (emphasis added)). This definition is more expansive than it first appears since the broad lead-in clause can be read to control rather than the enumerated examples within the definition. Nevertheless, the definition is essentially a verbatim copy of the one provided in the statute, which the CPPA is legally bound to follow.
- Employee Privacy: The definition of “profiling” is also broader than those in other state privacy laws such as Colorado and Connecticut, which for instance, do not cover employee or contractor data. That said, Board members disagreed about whether and the extent to which workers should be able to opt out of their employer’s use of ADMT. For example, some Board members raised concerns about the negative impact that the opt-outs might have on business operations and performance monitoring and suggested striking opt-out rights for workers.
- Decision That Produces Legal or Similarly Significant Effects: Under the proposal, this means “a decision that results in access to, or the provision or denial of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services” (emphasis added). In contrast to other state privacy laws, the draft covers decisions that result in “access” to the enumerated opportunities, not solely their “provision or denial.”
- Behavioral Advertising: The draft repeatedly uses the undefined term “behavioral advertising” instead of “cross context behavioral advertising” (CCBA) that has been used throughout all other previous CCPA regulations. It is unclear whether this is simply a mistake or intentional. On its face, “behavioral advertising” could also cover targeted advertising based solely on first-party data, which is outside the scope of the definition of CCBA.
- Pre-Use Notice Requirements: The draft regulations would require CCPA-covered businesses that use ADMT for a covered purpose to provide a “pre-use notice” that informs consumers about the business’s use of ADMT and the consumer’s right to opt out and to access further information. Importantly, the notice would have to be provided before the business processes the consumer’s personal information using the ADMT. What is more, the ADMT’s purpose would have to be explained in “plain language” and could not use “generic terms” such as “to improve our services.” The notice would also have to provide “[a] simple and easy-to-use method (e.g., a layered notice or hyperlink) by which the consumer can obtain additional information about the business’s use of the [ADMT].” The notice would have to include “plain language” explanations of the technology’s logic, including key parameters affecting the output of the ADMT, the intended output and use secured from the technology, and whether the business’s use of the ADMT has been evaluated for “validity, reliability, and fairness,” and the outcome of any such evaluation.
- Opt-Out Rights: Subject to several exceptions, the proposed regulations would also give consumers the right to opt out of a business’s use of ADMT: 1) “for decisions that produce legal or similarly significant effects”; 2) to profile individuals in their capacity as an employee, independent contractor, job applicant, or student; 3) to profile individuals “in a publicly accessible place”; 4) to profile consumers for “behavioral advertising”; 5) to profile consumers known to be under 16 years old for any purpose; and 6) to process consumer’s personal information to train ADMT. A business using ADMT for these covered purposes would have to provide at least two methods for submitting opt-out requests. Those methods would have to be provided in the manner in which the business primarily interacts with the consumer and be easy for consumers to execute. Notably, a notification or tool regarding cookies, such as a cookie banner or cookie controls, would not (by itself) be an acceptable method for submitting opt-out requests. The rule would also require businesses to instruct service providers to honor the consumer’s opt-out. A business would be permitted to deny an opt-out request or require further identity verification when it suspects fraud.
- Post-Use Notice Requirements: The proposed draft also contains an affirmative obligation for businesses to provide a notice to consumers of an adverse action using ADMT under certain circumstances. Specifically, if a business makes a decision that results in the denial of certain goods or services (i.e. financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services), the business would have to notify the consumer of the decision and inform the consumer that they have a right to access information regarding the business’s use of ADMT, how to exercise that right, and how to file a complaint to the CPPA or the California Attorney General.
- Exceptions: The draft regulations propose several important exceptions. A business would not need to offer a right to opt out of ADMT if the use of the technology is consistent with CCPA regulations concerning the reasonable expectations of consumers and is both necessary and solely used for a permissible purpose set forth in the regulations (e.g., preventing security incidents, resisting malicious or fraudulent actions directed at the business, to protect the life and physical safety of consumers, or to provide the good or service specifically requested by the consumer where the business has no reasonable alternative method of processing). A business also would not need to respond to access requests or include information in a pre-use notice if the business is using ADMT for a permissible purpose (other than providing a good or service requested by the consumer) and providing the information would compromise its processing of personal information for these purposes. A business would not be able to rely on these exceptions for the purpose of profiling for behavioral advertising. Additionally, the scope of some of these exceptions may change, as the Board discussed narrowing the “requested good or service” exception.
- Access Rights: Under the proposed regulations, consumers would have the right to access information about a business’s use of ADMT for a covered purpose with respect to that consumer. In responding to the request to access and subject to certain exemptions, a business would have to provide the consumer with, among other things, a “plain language” explanation of: the purpose for which the business used ADMT; the output of the ADMT with respect to the consumer; how the business used (or plans to use) the output to make a decision with respect to the consumer; how the automated decision making technology worked with respect to the consumer; a method by which the consumer can obtain the range of possible outputs, and instructions for how the consumer can exercise their other CCPA rights.
- Profiling for Behavioral Advertising for U16 Consumers: A business that has actual knowledge that it profiles a consumer under 13 years old for behavioral advertising would be required to provide a method for a parent or guardian to opt in to the use of profiling for behavioral advertising. Likewise, a business that has actual knowledge that it profiles a consumer at least 13 years of age and under 16 years of age for behavioral advertising would be required to provide such consumers with a method to opt in to the use of profiling for behavioral advertising.
As governments around the world scramble to regulate AI and without an omnibus federal legislation regulating privacy or AI in the U.S., states like California continue to loom as leading regulators in this emerging tech space. As a result, businesses that rely on ADMT to power their products and services should keep a close eye on this development as California could become a template for other states and agencies. The CPPA has stated that it plans to commence formal rulemaking in 2024, at which point companies doing business in California are strongly encouraged to submit public comments to the CPPA regarding the impact of the regulations on their operations. Until then, the proposal is likely to undergo more revisions as the CPPA Board continues to tinker with issues around definitions, scope, and future proofing.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA compliance efforts, or if you are interested in filing public comments related to this rulemaking, please contact Tracy Shapiro, Eddie Holman, Doo Lee, or any member of the firm’s privacy and cybersecurity practice.