On November 27, 2023, the California Privacy Protection Agency (“CPPA”) issued a discussion draft of regulations on automated decisionmaking technology (“Discussion Draft on ADT”) and amended regulations on risk assessments (“Discussion Draft on Risk Assessments”) (collectively, “the Discussion Drafts”). The Discussion Drafts include requirements related to (1) notice, (2) opt-outs, and (3) access rights, which are discussed below. Importantly, the CPPA has not initiated the formal rulemaking process and the Discussion Drafts are intended only to “facilitate Board discussion and public participation.” The CPPA’s announcement of these Discussion Drafts indicates that formal rulemaking will not begin until 2024, although the exact timing is still unknown.
As background, with respect to automated decisionmaking technology, the California Consumer Privacy Act (“CCPA”) requires the CPPA to issue “regulations governing access and opt-out rights with respect to businesses’ use of automated decisionmaking technology, including profiling . . . .” See Cal. Civ. Code 1798.185(a)(16). The CCPA did not define “automated decisionmaking technology” but defined “Profiling” to include “any form of automated processing of personal information . . . to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” See Cal. Civ. Code 1798.140(z) and Discussion Draft CPPA regulations § 7001.
1) Scope
The Discussion Draft on ADT applies to Businesses (as defined by the CCPA) that use automated decisionmaking technology, which the Discussion Draft on ADT states is “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking . . . [and includes] profiling.” See Discussion Draft on ADT § 7001. Additionally, the draft sets out the following types of automated decisionmaking technology to which the notice, opt-out, and access rights apply:
(1) produces “legal or similarly significant effects,” where such effects relate to access to, approvals, or denials of “financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services;”
(2) profiling a consumer acting in an employment, student, job applicant, or independent contractor capacity, which may include activity and productivity monitors, keystroke loggers, and other data logging and speech, facial, and automated emotion assessment, location trackers, and other monitoring technologies; or
(3) profiling a consumer in a publicly accessible place, which may include license-plate readers, video or audio recordings, including live streaming, wi-fi or Bluetooth tracking, geofencing, or facial, speech, automated emotion assessment or location trackers.
Additionally, the Discussion Draft on ADT sets out three additional activities that are to be specifically discussed by the Board:
(4) profiling a consumer for behavioral advertising;
(5) profiling a consumer the business has actual knowledge is under 16; or
(6) processing personal information to train automated decision-making technologies.
See Discussion Draft CPPA Regulations § 7030(b).
Notably, the Discussion Draft on ADT refers to “behavioral advertising” as opposed to “cross-context behavioral advertising,” which could broaden the scope of opt-out rights to include some first party advertising activities.
2) Notice
The draft regulations introduce the concept of “Pre-Use Notice,” with respect to automated decision-making. The notice must inform a user about the business’s use of automated decision-making technology and consumers’ rights to opt-out of and access information about such use. The draft regulations instruct businesses to make the notice readily available where consumers are likely to encounter it, “in the manner in which the business primarily interacts with the consumer,” and “before the business processes the consumer’s personal information using the automated decisionmaking technology.” Additionally, the Addendum to the Discussion Draft on ADT proposes that the requirements for the Pre-Use Notice be consistent with the Notice at Collection rules.
In plain language, the Pre-Use Notice should describe:
(1) the non-generic purposes of using the automated decision-making technology;
(2) the description of the consumers’ right to opt out of the in-scope processing and the methods to submit an opt-out request;
(3) the specific exceptions to the opt-out right a business relies on, where the draft regulations provide an exception to opt-outs (discussed below) (Note, here, that this requirement conflicts somewhat with a later provision in § 7017(c), which states “the business shall not be required to notify consumers about the right to opt-out of the processing in a Pre-Use Notice” for an excepted use);
(4) the consumers’ right to access information about automated decision-making and the methods to make the request; and
(5) a method to obtain additional information about the use of automated decision-making technologies (such as by a layered notice or hyperlink).
See Discussion Draft on ADT § 7017(b).
The additional information referred to in point (5) above must include a description of the logic used by the automated decision-making technology, including the key parameters and an explanation of the importance of the parameters; the intended output of the technology; how the business plans to use the output and the role of any human involvement; and whether the technology has been evaluated for validity, reliability, and fairness, and the outcome of any such evaluation. The Pre-Use Notice may also include a link to an unabridged risk assessment. See Discussion Draft on ADT § 7017(b)(4)(D).
Businesses are altogether not required to disclose information in a Pre-Use Notice that would compromise its efforts to prevent, detect, and investigate security incidents; to “resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions;” or to protect life and physical safety. See Discussion Draft on ADT § 7030(m)(1)-(3). This notice exception applies only to the extent the disclosure would compromise these efforts.
3) Opt-Out Rights
Consumers have the right to opt out of the activities described in Section 1 above. Businesses are not obligated to provide opt-out rights for the uses curbing and investigating security incidents, malicious, fraudulent, or illegal actions as described in Section 2 above or for the activities that protect life and physical safety. In addition, businesses are not required to provide an opt-out to consumers if the automated decisionmaking is used to provide a good or service specifically requested by the consumer and there is no reasonable alternative method to do so. This exception is limited by the rebuttable presumption that a business has an alternative method of processing if other methods are used in the business’s industry or in similar industries to provide similar goods and services.
For all other in-scope processing, the business must provide a method for opting out, including an opt-out for behavioral advertising, which appears to be separate from an opt-out for sharing personal information that applies to cross-context behavioral advertising. Note, also, that parents and guardians of children under the age of 13, and minors who are 13 but younger than 16, have the right to opt into behavioral advertising.
The required opt-out is separate from but similar to the opt-out of sales and sharing. For example, a business must provide two methods to opt-out of the use of automated decisionmaking technology, where at least one method reflects the manner in which the business primarily interacts with consumers but may not use a cookie-banner or cookie controls. Further, a business must not require consumers to verify their identity to opt-out of profiling for behavioral advertising but may require consumer verification where consumers are “more likely than not” to be negatively impacted if the business were to honor a fraudulent request.
The business must also provide a method for consumers to submit complaints about the use of automated decisionmaking technologies.
4) Access Rights
For in-scope uses of automated decisionmaking technologies, businesses must provide consumers whose identities the business can verify the ability to access information about (1) the purposes of the business’s use of the technology; (2) the output or outputs of the technology with respect to the requesting consumer; (3) how the business used the output to make a decision, including the decision made, any factors other than the output considered, the role of human involvement, if any, and whether the use has been evaluated (and, if so, the outcome of the evaluation) for validity, reliability, and fairness; (4) how the business plans to use the output; (5) how the technology worked with respect to the consumer including how logic, its assumptions, and limitations applied to the consumer, and the key parameters, why those parameters were key, and how those parameters applied to the consumer; (6) a method by which a consumer can obtain the range of possible outputs, (7) instructions for how the consumer can exercise other CCPA rights, and (8) instructions for submitting a complaint to the business and an explanation that the consumer can file a complaint with the CPPA and Attorney General. See Discussion Draft on ADT § 7031.
Where the business is unable to verify the requesting consumer’s identity, the business may describe the purposes of the automated decisionmaking, the range of outcomes, instructions for exercising other rights, and instructions for making complaints, but the business must not provide unverified consumer access to information about the use of automated decisionmaking as applied to that consumer. Instead, the business must inform the consumer that it is unable to verify the consumer’s identity. Further, the business must inform a verified consumer of any basis for denial and, if the request is denied only in part, the business must disclose information relating to the portion of the request that is not denied. Id.
5) Risk Assessments
The changes proposed in the Discussion Draft on Risk Assessments are largely to bring them in line with the Discussion Draft on ADT, and include new triggers for risk assessments, including using automated decisionmaking:
for a decision that produces legal or similarly significant effects concerning a consumer;
for Profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student.
for Profiling a consumer while they are in a publicly accessible place.
for Profiling for behavioral advertising.
It also lists additional items for Board discussion in the context of processing personal information to train automated decision-making technology that may be used for (1) any of the processing listed above; (2) establishing individual identity on the basis of biometric information; (3) facial-, speech-, or emotion-detection; (4) the generation of deep fakes (i.e., manipulated or synthetic audio, image, or video content that depicts a person saying or doing things they did not say or do and that are presented as truthful or authentic without the person’s knowledge and permission); or (5) the operation of generative models, such as large language models.
There are also update requirements related to the content of the assessments and the process for annual submission to the CPPA.
Regardless of the final form, the Discussion Drafts indicate that there will be substantial increases to the notice, documentation, and operational obligations on many businesses engaged in the in-scope activities, including businesses engaged in behavioral advertising or that otherwise personalize their services to consumers. Businesses that wish to weigh in on these impacts should note that the Discussion Drafts are scheduled to be discussed by the CPPA Board during their December 8, 2023, meeting, and the CPPA intends to begin the formal rulemaking process in 2024.
Charlotte Lunday is a Senior Associate at Hintze Law with expertise in COPPA, FERPA, and online safety.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.