Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California: CPPA publishes revised draft ADMT and risk assessment regulation

On February 24, 2023, the California Privacy Protection Agency (CPPA) published its revised draft regulation on automated decision-making technology (ADMT) and risk assessments for discussion at its board meeting on March 8, 2024. During the board meeting, the CPPA also confirmed it will be discussing the draft California Consumer Privacy Act as amended (CCPA as amended) Regulations.

What are the key amendments to the draft ADMT and risk assessment regulations?

The proposed revisions include:

  • revisions to definitions including significant decisions, ADMT, and profiling;
  • clarification on the types of technologies that are not ADMT;
  • requirements associated with pre-notice; and
  • requirements for complying with opt-out and access requests.

The revised draft ADMT and risk assessments regulation outlines technologies that will not be categorized as ADMT such as data storage, firewalls, anti-virus, anti-malware, spam, and robocall-filtering provided that the technologies do not execute a decision, replace human decision-making, or substantially facilitate human decision-making. In addition, the revised ADMT and risk assessment regulation classifies 'educational or enrolment opportunity' and 'employment or independent contracting opportunities or compensation' decisions as 'significant decisions.' Regarding the right to opt out, the revised draft ADMT and risk assessment regulation confirms exceptions including:

  • retaining security, fraud prevention, and safety exception;
  • adding human appeal exceptions for significant decisions; 
  • adding evaluation exceptions for admission, acceptance, or hiring decisions;
  • allocation/assignment of work and compensation decisions; and
  • for work or educational profiling.

Regarding risk assessments, the revised draft ADMT and risk assessment regulation notes that the revisions to the threshold include:

  • incorporating minors' personal information into the definition of sensitive personal information;
  • adding a definition for extensive profiling; and
  • clarifying that risk assessments are required when training ADMT or artificial intelligence (AI) for:
    • a significant decision;
    • establishing identity;
    • physical or biological profiling;
    • generating deepfakes; or
    • operating generative models.

Furthermore, the revised draft ADMT and risk assessment regulation confirms the operational elements that must be identified in a risk assessment, the negative impacts to consumers' privacy a business may consider, and safeguards a business must identify for ADMT to ensure it works as intended and does not discriminate.

You can read the press release here, the draft ADMT and risk assessment regulations here, and the draft CCPA regulations here.

Update: March 8, 2024

CPPA releases additional meeting materials

On March 8, 2024, the CPPA released additional meeting materials for its meeting on the same date. The additional materials examine, among other topics, enforcement updates and priorities as well as public affairs. With regard to enforcement updates and priorities, the CPPA noted that between July 3, 2023, and February 22, 2024, it received 1,208 complaints. The complaints predominantly focused on the right to deletion, the collection, use, storing, and sharing of personal information, as well as the opting out of sharing and selling.

You can read the press release here.