CPPA Releases Draft Automated Decisionmaking Technology Regulations: What Does the Proposed Regulatory Framework for Automated Decision-Making Technology Include?

The California Privacy Protection Agency (CPPA) has released draft regulations for discussion at its December 8th board meeting. These proposed regulations address three key areas: Automated Decision-Making Technology (ADMT), risk assessments, and data broker registration

The CPPA's comprehensive approach to these three areas demonstrates its commitment to protecting consumer privacy in a rapidly evolving data landscape. Additionally, the CPPA Board meeting scheduled for December 8, 2023 will discuss previously-released proposed regulations regarding cybersecurity audits and risk assessments.

What is the California Privacy Protection Agency?

The California Privacy Protection Agency (CPPA) is the state agency responsible for enforcing California's privacy laws, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). This law grants individuals significant control over their personal data and aims to ensure responsible data practices by businesses.

What is the Automated Decision-Making Technology?

Automated decision-making technology (ADMT) refers to any technology that uses algorithms or other automated processes to make decisions about individuals. This encompasses a wide range of applications, including credit scoring, loan approvals, job applications, criminal risk assessments, and even personalized recommendations and targeted advertising.

Why is the CPPA concerned about ADMT?

The CPPA is concerned about the potential for ADMT to be used in unfair, discriminatory, or opaque ways. Some concerns include:

• Bias in algorithms: Algorithms trained on biased data can perpetuate discriminatory outcomes.
• Lack of transparency: Individuals may not understand how ADMT decisions are made, making it difficult to challenge them.
• Limited control over personal data: Individuals have little control over how their data is used in ADMT processes.
• Potential for privacy violations: ADMT can involve the collection and analysis of large amounts of sensitive personal data.

These concerns highlight the need for regulations to ensure that ADMT is used responsibly and ethically.

What is the proposed regulatory framework for Automated Decision-Making Technology?

The draft automated decisionmaking technology regulations aims to address the concerns surrounding ADMT by providing consumers with more control over their data and ensuring transparency and fairness in ADMT practices. Here are some key elements:

1. Right to opt-out: Consumers have the right to opt-out of ADMT decisions that have a significant legal or personal impact on them. This allows them to avoid being subject to automated decisions they may disagree with.
2. Right to access and explanation: Consumers have the right to access information about how their data is used in ADMT decisions and receive an explanation of how the decision was made. This transparency is crucial for consumers to understand and challenge potential biases or errors.
3. Pre-use notice: Businesses would be required to provide “Pre-use Notices” to inform consumers about how the business intends to use ADMT, so that the consumer can decide whether to opt-out or to proceed, and whether to access more information. This empowers consumers to make informed choices about sharing their data.
4. Prohibition on unfair or discriminatory practices: Businesses are prohibited from using ADMT in ways that are unfair, discriminatory, or violate the CPPA. This addresses concerns about bias and ensures equal treatment for all consumers.

What types of ADMT are subject to the draft regulations?

The CPPA's draft regulations on ADMT apply broadly, encompassing a wide range of technologies. However, the focus is primarily on ADMT that makes decisions with significant legal or personal impact on individuals.

Here's a breakdown of the types of ADMT subject to the draft regulations:

ADMT utilized for decisions with significant legal or personal impact:

These include decisions that have the potential to:

• Deny or limit access to essential goods or services: Examples include credit scoring for loan applications, insurance underwriting, and housing applications.
• Affect employment opportunities: This encompasses decisions about hiring, promotion, and termination.
• Determine access to educational opportunities: This includes decisions about admissions, financial aid, and course placement.
• Substantially impact an individual's financial or economic status: This includes decisions about credit limits, insurance premiums, and debt collection.
• Significantly impact an individual's health or safety: This includes decisions about medical diagnoses, treatment plans, and access to healthcare services.
• Impact the individual's ability to exercise their legal rights or access government benefits: This includes decisions about eligibility for social security benefits, unemployment benefits, and public housing.

ADMT used for targeted advertising:

The draft regulations also apply to ADMT used for targeted advertising, but only when such advertising is "likely to have a significant impact on the individual." This might include situations where the advertising is based on sensitive personal data or is likely to lead to discrimination.

ADMT used for profiling individuals:

The use of ADMT to profile individuals is also subject to the draft regulations, particularly when the profile is used for targeted advertising or to make decisions with significant legal or personal impact. This includes profiling consumers in publicly accessible places, such as shopping malls, medical offices, and stadiums.

It's important to note that the draft regulations do not explicitly define "significant legal or personal impact." This leaves some room for interpretation and potential ambiguity. However, the examples provided above offer a good starting point for understanding which types of ADMT are likely to be subject to the regulations.

What must be included under the right to opt-out and access information on ADMT?

Under the CPPA's proposed framework, the right to opt-out and access information on ADMT requires several key elements:

• Opt-out:
  - Clear and conspicuous notice: Consumers must be informed about their right to opt-out of ADMT decisions that have a significant legal or personal impact on them. This notice should be clear, conspicuous, and easily accessible.
  - Simple and accessible opt-out mechanism: Businesses must provide a simple and accessible mechanism for consumers to exercise their right to opt-out. This could be through a dedicated website page, mobile app setting, or other user-friendly method.
  - Honoring opt-out requests: Once a consumer opts out, businesses must comply with the request and cease using ADMT for the specific decision or purpose.
• Access to information:
  - Transparency about the use of ADMT: Consumers have the right to access information about how their personal data is being used in ADMT processes. This includes information about the types of data used, the algorithms used, and the purpose of the ADMT.
  - Explanation of ADMT decisions: Consumers have the right to receive an explanation of how an ADMT decision was made that affects them. This explanation should be clear, understandable, and sufficient to enable the consumer to understand the basis of the decision.
  - Right to access and correct personal data: Consumers have the right to access and correct any inaccurate personal data used in ADMT processes. This ensures that the data used to make decisions about them is accurate and up-to-date.

Additionally, the CPPA emphasizes:

• Specificity: The opt-out and access provisions should be specific to the type of ADMT and its intended purpose.
• Timeliness: Businesses must respond to opt-out requests and information access requests promptly.
• No cost: Consumers should not be charged any fees for exercising their rights to opt-out or access information about ADMT.

By providing these rights and ensuring their effective implementation, the CPPA aims to empower consumers with control over their data and ensure transparency and fairness in ADMT practices

.

How should businesses respond to the requests for access?

The proposed laws provide that if a business has made a choice that leads to the refusal of products or services for the consumer, the business is required to inform the consumer:

• that the business made a decision with respect to the consumer;
• that the consumer has a right to access information about the use of ADMT;
• how the consumer can exercise their right; and
• that the consumer can file a complaint with the CPPA and California Attorney General (AG).

If a business refuses a consumer's verified request to exercise their right to access, the firm is required to notify the requester and provide an explanation for the rejection. Businesses are required to authenticate the identity of those who submit the request.

What are the requirements of the draft risk assessment regulations?

The CPPA's draft risk assessment regulations outline ten key requirements businesses must fulfill when processing personal information that presents "significant risk" to consumer privacy. These requirements aim to promote proactive risk management and ensure businesses adequately address potential privacy harms.

1. Identify and document the processing activities: Businesses must describe and document all processing activities involving personal data, including the specific data collected, the purposes for which it is used, and the duration of storage.
2. Identify and document the risks: Businesses must identify and document all potential risks arising from the processing activities, considering factors like data security vulnerabilities, potential for discrimination or bias, and the sensitivity of the data collected.
3. Assess the likelihood and severity of the risks: Businesses must assess the likelihood and severity of each identified risk, considering the potential impact on individuals' privacy. This assessment should be based on a comprehensive analysis of the processing activities and the surrounding context.
4. Implement safeguards to address the risks: Businesses must implement appropriate safeguards to mitigate the identified risks. These safeguards could include technical measures like data encryption, organizational measures like employee training, and contractual measures with third-party vendors.
5. Assess and document the effectiveness of the safeguards: Businesses must regularly assess the effectiveness of the implemented safeguards and document their findings. This ensures the safeguards remain effective and adapt to evolving risks.
6. Update the risk assessment regularly: Businesses must update the risk assessment regularly, at least annually or as necessary when processing activities change or new risks are identified.
7. Maintain records: Businesses must maintain records of their risk assessments for at least five years. This documentation serves as evidence of compliance and facilitates future reassessments.
8. Submit risk assessments to the CPPA: Businesses may be required to submit their risk assessments to the CPPA for review upon request. This allows the CPPA to monitor compliance and provide guidance where needed.
9. Cooperate with the CPPA investigation: Businesses must cooperate with the CPPA's investigations into potential violations of the risk assessment requirements. This includes providing access to relevant documents and information.
10. Provide notice and right to opt-out: If the risk assessment identifies significant risks of bias, discrimination, or unfairness, businesses must provide consumers with a clear and conspicuous notice about the risks and an opportunity to opt-out of the processing activity.

These ten requirements provide a framework for businesses to proactively manage privacy risks associated with personal data processing. Businesses also would need to conduct risk assessments for certain types of ADMT uses.

What do the CPPA's proposed Data Broker Registration regulations contain?

The CPPA's proposed Data Broker Registration regulations aim to enhance transparency and accountability in the data broker industry.

Here are the key aspects of the proposed regulations:

1. Definition of "data broker": The regulations define a data broker as a business that "knowingly collects and sells or licenses to third parties the personal information of consumers with whom it does not have a direct relationship." This definition encompasses a wide range of data brokers, including those that collect and sell data from various online sources.
2. Registration requirements: The proposed regulations require all data brokers operating in California to register with the CPPA. This registration process would require data brokers to provide information such as:
   undefinedundefinedundefinedundefined
3. Fees and renewal: Data brokers would be required to pay a registration fee and renew their registration annually. The fees would be based on the data broker's size and revenue.
4. Public registry: The CPPA would establish a public registry of registered data brokers. This registry would allow consumers to access information about data brokers operating in California and learn about their data collection and sharing practices.
5. Verification and enforcement: The CPPA would have the authority to verify the accuracy of information submitted by data brokers and to enforce the registration requirements. This could include conducting audits, imposing fines for non-compliance, and taking legal action against data brokers that violate the regulations.
6. Consumer rights: The proposed regulations would also grant consumers certain rights in relation to data brokers. These rights would include:
   - The right to access information about the data collected by data brokers.
   - The right to opt out of the sale or licensing of their personal information by data brokers.
   - The right to have their personal information deleted by data brokers.

These proposed regulations aim to create a comprehensive framework for data broker registration and oversight in California. By requiring registration, establishing a public registry, and granting consumers certain rights, the CPPA seeks to increase transparency and accountability in the data broker industry and empower consumers with greater control over their personal information.

When will the framework go into effect?

The proposed framework is still in the draft stage. The CPPA is accepting public comments on the draft rules until December 8, 2023. After that, the CPPA will finalize the framework and it is expected to go into effect in 2024.

Who does the framework apply to?

The framework applies to any business that uses ADMT to make decisions about California residents. This includes businesses of all sizes and across various industries.

What do businesses need to do to comply with the framework?

Businesses that use ADMT should take the following steps:

1. Review the proposed framework: Familiarize yourself with the requirements and understand your obligations under the framework.
2. Assess your ADMT practices: Analyze how you use ADMT and identify areas where the framework applies.
3. Develop compliance strategies: Update your data privacy policies, establish processes for consumers to exercise their rights, and ensure transparency in your ADMT practices.
4. Stay informed: Monitor the CPPA website and other resources for further updates and guidance on the framework's implementation.