Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California: The draft ADMT rules - top takeaways

California is on the verge of shaking up the privacy space again with rules on automated decision-making technology (ADMT). On February 23, 2024, California's dedicated privacy law enforcement agency, the California Privacy Protection Agency (CPPA), released an updated draft of ADMT rules that builds on the Agency's December 2023 draft. Josh Hansen, Associate at Shook, Hardy & Bacon L.L.P., outlines the key points of the rules, their scope, and their requirements.

marchmeena29 / Essentials collection / istockphoto.com

The proposal reflects an ambitious approach without parallel in US privacy law. These rules impose three overarching obligations: (1) make robust disclosures (pre and post use); (2) offer the ability to opt out; and (3) provide detailed information in response to queries from consumers (which is California Consumer Protection Act (CCPA) jargon for 'data subjects').

But fear not! These are not final rules. Formal rulemaking has not even started. The CPPA is sharing this early draft to facilitate internal and public discussion before beginning formal rulemaking—likely sometime this year. With final rules probably taking effect sometime in 2025.

What are the top-line takeaways?

The key points to remember are that the rules cover more than other state laws and have:

  • Broad application - the rules apply to a wide range of ADMT uses, including profiling employees or making significant decisions, with narrow exceptions.
  • Onerous disclosures - companies must make comprehensive disclosures before using ADMT for certain purposes, provide more information when a consumer asks for it, and sometimes give proactive post-use notice.
  • Opt-out rights - consumers can prevent the use of ADMT in many situations.
  • Unclear effective date - the CPPA has yet to start formal rulemaking, and there are a variety of factors that impact timing once there are final rules.

What changed from the December 2023 draft?

A lot. Beyond renumbering everything and moving provisions around, some of the notable changes are: (i) eliminating the need to discuss validity, reliability, and fairness testing; (ii) limiting the opt-out exceptions and making them more onerous; (iii) narrowing the definition of ADMT to exclude activities with substantial human involvement; (iv) expanding situations where post-use notice is required; (v) adding new defined terms, which make the rules even more technical; (vi) removing a requirement to inform consumers about their right to file complaints with the CPPA, the business, and the Attorney General (AG); and (vii) adding assessment requirements for businesses using physical/biological characteristics (e.g., biometrics) to identify or profile consumers.

What is in scope?

Starting with the basics, these rules only apply to companies subject to the CCPA. Recall that the CCPA applies to an entity who: (i) has $25 million in revenue; (ii) processes personal information on 100,000 California residents; or (iii) derives at least 50% of their revenue by selling or sharing (using for certain targeted advertising) personal information.

Assuming the CCPA applies, everything turns on what is ADMT: 'technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.' The definition encompasses profiling - automated processing of personal information to predict/evaluate certain personal aspects of a consumer - but not web hosting, calculators, spreadsheets, or other discrete technologies that the CPPA specified in their revised draft.

Key point! While the old draft applied regardless of human involvement, the new draft now tracks Colorado's approach by excluding processing where there is meaningful human involvement.

But not all ADMT is in scope. The rules only apply to ADMT used for:

  • Significant decisions - the ADMT is for a decision that results in access to or denial of financial/lending services, housing, insurance, education opportunities, criminal justice, employment opportunities or compensation, healthcare services, or essential goods/services.
  • Extensive profiling - the ADMT is for profiling for behavioral advertising (i.e., any personalized advertising); through systematic observation of consumers in a public place; or through such observation of employees, job applicants, or applicants to an educational program.
  • ADMT training - the ADMT is for processing personal information to train ADMT that can be used for significant decisions, establishing identity, generating deepfakes, or physical/biological identification or profiling. (This is very broad because it asks about potential uses rather than actual or intended uses.)

When using ADMT for one of the above purposes, a business generally must provide consumers with: (i) a notice explaining the ADMT; (ii) the right to opt out of ADMT; and (iii) a right to access details about the business' use of the ADMT. The rest of this article covers those duties.

What disclosures are required?

Using ADMT may trigger two disclosure obligations: notice before and, in limited situations, after the business uses the ADMT.

Pre-use notice

Before using ADMT, a business must present 'prominently and conspicuously' a 'pre-use notice' explaining each use of ADMT and consumers' rights with respect to ADMT. In a key change from the earlier draft, the CPPA is allowing companies to issue a consolidated notice covering each use and purpose.

Contract consideration! Companies need to update their contracts to ensure their ADMT vendor provides the necessary information for the notice.

The notice must be in plain English and explain the:

  • Purpose - state why the business is using the ADMT without resorting to generic phrases, such as 'to improve our services,' that fail to put the consumer on notice.
  • Opt-out process - note the consumer's right to opt out of ADMT and explain how the consumer can exercise that right. If a business is not required to offer an opt-out right because an exception applies, the business must acknowledge that, identify the exception, and (if applicable) the right to request that a human review the decision.
  • Access right - describe the consumer's right to access information about the use of ADMT and explain how a consumer can exercise that right unless the business is using the ADMT solely for training ADMT.
  • Non-retaliation - state that the business will not retaliate against the consumer for exercising their CCPA rights.

Unless the processing is just to train an ADMT, the business must also include - or provide a simple way to access - additional details about the ADMT's:

  • Logic - explain the logic used in the ADMT, including the key parameters affecting the output.
  • Output - identify the ADMT's intended output (e.g., a numerical score or placement into specific categories).
  • Usage - specify how the business intends to use the output to make decisions and how humans are involved in that process.

This is more limited than the earlier draft; the CPPA removed the requirement that a business explain the results of any testing for validity, reliability, and fairness (or state it performed no such testing).

The level of detail required in the notice means that businesses need more than a superficial understanding of their ADMT practices and how the tool works.

Post-use notice

A business must notify the consumer after using ADMT to make certain decisions regarding the individual. In a change from the prior draft, the CPPA expanded the situations triggering the need for that notice: It is now required whenever ADMT is used for a significant decision with an adverse effect on the consumer - e.g., terminated employment or denied housing - rather than just denials of essential goods or services. The notice, which must go out as soon as possible (no more than 15 business days) after the decision, generally must acknowledge that ADMT was used and explain the consumer's rights - such as access and, when applicable, requesting human review.

When does a consumer have the right to opt out of ADMT?

Subject to narrow exceptions, a business is required to promptly honor a consumer's request to opt out of the business using ADMT to process the consumer's personal information.

Method

A business must offer two opt-out methods, including one option based on how the business primarily interacts with the consumer, and a means for the consumer to verify their request was honored.

Practice tip! A business with an online presence must offer an interactive form for opt-out requests - but the CPPA says cookie banners and management tools are insufficient.

Similar to other CCPA opt-out rights, companies cannot require a consumer to verify their identity before processing their request - but they can ask for information necessary to honor the request. This is a slight shift from the earlier draft, which allowed a business to require verification when it determined that honoring fraudulent requests would likely harm consumers. A business, however, can deny a request they believe is fraudulent so long as they document their decision and inform the consumer why they believe the request is fraudulent.

Timing

The timeframe for honoring a request depends on when it was received. If a consumer opted out before processing started, then the business cannot use ADMT on the consumer's personal information. But, if the request came in after processing started, the business must honor the request as soon as possible (within 15 business days) and instruct recipients - such as service providers - that they need to comply with the request. For such 'late' requests, the business also can neither use nor retain any results from their use of the ADMT on the consumer's information.

Exceptions

The right to opt-out is not absolute. There are three possible exceptions:

  • Safety, security, and fraud - the ADMT is necessary for and limited to ensuring safety, addressing security risks to personal information, or resisting problematic activity (fraud, malicious acts, etc.).
  • Human review - the consumer can appeal the decision to a human reviewer empowered to overrule the decision. To rely on this exception, the business must: (i) allow the consumer to submit new information; and (ii) inform the consumer of their appeal right.
  • Evaluation - the ADMT is necessary for and limited to evaluating performance, allocating work, etc., and the business evaluated (or reviewed the provider's assessment of) the ADMT to ensure it works as intended. Some situations also impose extra requirements, such as testing accuracy or adopting safeguards (e.g., policies) to ensure proper functionality.

Whether an exception applies depends on the way the business is using ADMT:

 

Safety, security, and fraud

Human review

Evaluation

Significant decisions: admission, hiring, or work/compensation allocation

 No

Yes

Yes

Other significant decisions

No

Yes

No

Work and education profiling

Yes

No

Yes

Public profiling

Yes

No

No

 

These exceptions are more situation-dependent than the December draft, which only carved out ensuring safety, preventing fraud, maintaining security, and providing the requested good or service. Similar to the earlier draft, however, the CPPA provides no exceptions in certain contexts; a business must provide an opt-out right when using ADMT for behavioral advertising or training ADMT.

What information can a consumer request about ADMT usage?

The CPPA is proposing an expansive right to access information about how the business uses ADMT. This right, which is similar to the existing CCPA right to know, requires a business to compile detailed - and individualized - answers.

Availability

A consumer has a right to request information whenever a business uses ADMT for significant decisions or extensive profiling. (There is no right when the ADMT is used for training ADMT.) This is a broad grant because it provides an access right even in situations where there is no right to opt-out because an exception applies.

Method

Most companies will need to offer at least two methods for submitting a request, including a toll-free number. The only exception is for exclusively online companies who have a direct relationship with the consumer - they only need to set up an email address for receiving requests.

Compliance note! A business has 45 days to honor a request - and, unlike the other CCPA rights, there is no option for an extension.

As with most CCPA rights, the business must deny a request if it cannot verify the consumer's identity. They can also deny a request when honoring the request conflicts with the law or is subject to a CCPA exception. Whenever a request is denied, the business must tell the consumer why.

Content

Unlike the CCPA's right to know, a consumer does not need to specify exactly what they want to receive when submitting an access request: A business must provide everything listed in the regulation, although they can provide aggregated responses when they frequently (more than four times a year) use ADMT with respect to the consumer. Similar to the pre-use notice, a response requires a nuanced understanding of how the business is using ADMT with respect to the individual. The business must translate complex, technical concepts into 'plain language explanations' covering:

  • Purpose - why was ADMT used?
  • Output - what was the output of the ADMT?
  • Use - how was the output being used to make a decision?
  • Function - how did the ADMT work?
  • Rights - how can a consumer exercise their other CCPA rights?

The rules add some color to a few of the above requirements. For example, the use description must explain any human involvement when the output was used to make a significant decision. In contrast, when the output was used for extensive profiling, the business does not need to address human involvement but must explain the output's role in the business' evaluation of the consumer. Additionally, the details of the function must include the logic and key parameters (but the Agency no longer requires an explanation of why those parameters are important).

What comes next?

The CPPA will discuss these new rules during their March 8, 2024, meeting. Given that this is a second draft, we may see them start formal rulemaking. Formal rulemaking involves the CPPA sharing draft rules and an Initial Statement of Reasons explaining the rules. Then the public gets at least 45 days to provide comments on the draft, and the CPPA must respond to each substantive comment. If the CPPA makes substantive changes to the proposed rules, they must open a new comment period lasting at least 15 days. Rinse and repeat until there are no more substantive changes - at which point, the CPPA will release its final statement of reasons and the final rules. Then we get to the fun stuff: determining the effective date.

When will the rules take effect?

When might the ADMT rules be effective, you ask? Great question. The answer is simple: it depends.

The CPPA first needs to start and complete formal rulemaking. At the end of that process, the rules are 'final' but not yet effective. Once the rules are finalized, all eyes will be watching whether the CPPA pursues an expedited effective date. Regulations normally take effect based on when the agency delivers the final rules to the Secretary of State:

Date filed with California Secretary Of State

Effective date

September 1 to November 30

January 1

December 1 to February 29

April 1

March 1 to May 31

July 1

June 1 to August 31

October 1

 

But an agency can also ask for an expedited effective date, which is what the California AG requested for the initial CCPA rules. Under that expedited process, the ADMT rules would become effective once the CPPA submits them to the Secretary of State.

In sum, the ADMT rules' effective date will depend on a few moving parts. But, in a recent(ish) development, the courts are unlikely to be one of those parts: On February 9, 2024, the CPPA won its appeal to overturn a trial court order requiring the CPPA to wait a year before enforcing new rules. The plaintiffs in that case, however, are seeking discretionary review at the California Supreme Court.

How does California's proposal compare to other jurisdictions?

While waiting for the rules to take effect, businesses will need to assess how these regulations fit into their compliance program for other laws. California is largely charting new territory. (This is unsurprising given that California has often plotted its own course regarding consumer privacy; you have the California model, and then there is what everyone else is doing.) The rules are broader in a few notable respects than what we see in other jurisdictions:

  • Scope - California's rules apply to a wide range of ADMT, while other states limit their focus to a subset of ADMT uses - that is, profiling in furtherance of decisions producing legal/significant effects.
  • Disclosures - California and Colorado are the only states that mandate specific disclosures addressing ADMT, but California requires more detail and also (in certain circumstances) a post-use notice.
  • Rights - only California provides consumers a right to request information about ADMT usage (and response requires granular details).
  • Testing - California does not require bias testing, unlike the New York Law on Automated employment decision tools governing hiring practices.

But, at least in one respect, California's proposal is more business-friendly: it uses an opt-out framework, while other states require consumer consent to in-scope ADMT.

Josh Hansen Associate
[email protected]
Shook, Hardy & Bacon L.L.P., Denver

Feedback