Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California: CPPA publishes draft automated decisionmaking technology regulations

On November 27, 2023, the California Privacy Protection Agency (CPPA) published draft automated decisionmaking technology regulations, a revised text of the draft risk assessment regulations, and a proposed text for data broker registration for discussion at the CPPA board meeting on December 8, 2023. In particular, the draft regulations would implement consumers' right to opt out of, and access information about businesses' uses of automated decisionmaking technology (ADMT) as provided for under the California Consumer Privacy Act (CCPA).

What types of ADMT are subject to the draft regulations?

The draft regulations outline that a business must provide consumers with the ability to opt out of a 'decision that produces legal or similarly significant effects concerning a consumer,' such as decisions about employment or compensation. Likewise, the draft regulations detail that consumers may opt out of 'profiling' as an employee, contractor, applicant, or student, such as the use of a keystroke logger or tracking location. Furthermore, consumers are noted to be able to opt out of the use of ADMT for profiling while they are in a publicly accessible place using Wi-Fi, video or audio recording, geofencing, or license plate recognition among other things.

The draft regulations also clarify that the profiling of a consumer that the business has actual knowledge is under the age of 16, and processing of personal information of consumers to train ADMT are additional options of discussion at the CPPA board meeting on December 8.

What must be included under the right to opt-out and access information on ADMT?

The draft regulations set out that a business that uses ADMT must provide consumers with a pre-use notice of rights to opt out of and access information about the businesses' use of ADMT. The notice must be made readily available where consumers will encounter it, and be provided in the manner in which the business primarily interacts with the consumer before the business processes the consumer's personal information using the ADMT. Further, the notice must include:

  • a plain language explanation of the purpose of use of ADMT;
  • a description of the consumer's right to opt out of the businesses' use of ADMT and how consumers can submit an opt-out request;
  • a description of the consumer's right to access information about the businesses' use of ADMT;
  • a simple and easy-to-use method by which the consumer can obtain additional information about the use of ADMT, explaining in plain language:
    • the logic used in the ADMT, including parameters affecting output;
    • the intended output of the ADMT;
    • how the business plans to use the output; and
    • whether the use of ADMT has been evaluated.

How must businesses respond to the requests for access?

The draft regulations stipulate that if a business has made a decision that results in the denial of goods or services with respect to the consumer, the business must notify the consumer:

  • that the business made a decision with respect to the consumer;
  • that the consumer has a right to access information about the use of ADMT;
  • how the consumer can exercise their right; and
  • that the consumer can file a complaint with the CPPA and California Attorney General (AG).

Where a business denies a consumer's verified request to exercise the right to access, the business must inform the requestor and explain the basis for the denial. Businesses must also verify the identity of persons making the request.

What are the requirements of the draft risk assessment regulations?

Notably, the draft risk assessment regulations, also to be discussed at the December 8 board meeting of the CPPA, incorporate the above changes regarding ADMT. Specifically, the draft risk assessment regulations provide that where businesses use ADMT for a decision that produces a legal or similarly significant effect or profiles a consumer, the business must conduct a risk assessment.

Data broker registration

Specifically on data broker registration, the proposed text confirms the annual fee to register as a data broker will be $400. 

You can read the press release here, the draft regulations here, the draft risk assessment regulations here, and the draft data broker regulations here.