On November 27, the California Privacy Protection Agency (CPPA) released draft regulations to govern automated decision-making technology. Businesses regulated under the California Consumer Privacy Act (CCPA) will be familiar with the obligation to disclose certain uses of automated decision-making technology or engaging in consumer profiling in the company’s privacy policy. However, the scope of consumers’ right to opt-out of being subject to automated decision-making technology, including profiling, has remained murky: rather than directly establishing governing parameters, the CCPA broadly mandates the CPPA to issue “regulations governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling.”
On the Wednesday before Thanksgiving, the CPPA released these draft regulations to the public. The CPPA board is scheduled to discuss the regulations at its December 8, 2023 meeting, with formal rulemaking expected to follow in 2024.
The regulations were expected to be significant, and they are. The breadth of the proposed regulations and their requirements is evident from the outset. Unsurprisingly, they define “automated decision-making technology” broadly, as:
Any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as a whole or part of a system to make or execute a decision or facilitate human decision-making. Automated decision-making technology includes profiling.
“Profiling,” in turn, means:
any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
If your business uses, or intends to use, technologies in any application that falls into the above categories, it is highly likely that your use of such technologies will be regulated, by the CCPA or otherwise, either now or in the future. It will be important to keep an eye on the various layers of obligations that various regulators are developing around the use of these technologies.
For businesses subject to the CCPA, the proposed regulations make clear that such businesses using automated decision-making technology must, among other things, give consumers (1) notice of a right to opt-out of being subject to the technology and (2) the right to access information about how the business uses the technology. Specifically, a “Pre-use Notice” must be made readily available “where consumers will encounter it” before the business processes the consumer’s personal information using the automated decision-making technology. Among other things, the notice must explain the purpose for which the technology is used, a description of the consumer’s right to opt-out, and additional information regarding the technology, including:
-
- The logic used in the technology, including key parameters that affect the output, and why such parameters are considered “key”;
-
- The intended output of the technology;
-
- How the business plans to use the output to make a decision, and the role of any human involvement in such decision-making; and
-
- Whether the proposed use of the technology has been evaluated for “validity, reliability, and fairness,” and if so, the outcome of any such evaluation.
The draft proposal demonstrates uncertainty, however, about the final scope of the opt-out right. As an initial matter, the proposed opt-out would be applicable for decisions that produce legal or similarly significant effects concerning a consumer, profiling consumers in their capacities as an employee, independent contractor, job applicant, or student, or profiling consumers in publicly accessible places.
Notably, the notion of “profiling” employees, independent contractors, job applicants, or students is specified to include use of the following:
-
- keystroke loggers, productivity or attention monitors;
-
- audio/video recording or livestreaming;
-
- facial or speech recognition or detection;
-
- automated emotion assessment;
-
- location or speed trackers; and
-
- web browsing, mobile application, or social-media monitoring tools.
Profiling consumers in public includes use of the following technologies:
-
- Wi-Fi or Bluetooth tracking;
-
- Radio frequency identification;
-
- Drones;
-
- Video or audio recording or livestreaming;
-
- Facial or speech recognition or detection;
-
- Automated emotion assessment;
-
- Geofencing;
-
- Location trackers; and
-
- License plate recognition.
While the foregoing scope seems to be somewhat settled, the draft also identifies the following potential extensions of the opt-out right, subject to further Board discussion:
-
- Profiling consumers for the purpose of behavioral advertising;
-
- Profiling consumers that the business knows are under the age of 16; and
-
- Processing consumers’ personal information to train automated decision-making technology.
Given the broad scope of this potential new opt-out right—and the potential that it will be broadened further—businesses that are implementing, or taking steps to implement, automated decision-making technology should be thinking about practical measures to design and implement pre-notice and opt-out measures into their processes.
Notably, the current proposal carves out an exception to the proposed opt-out right where the automated decision-making technology “is necessary to achieve, and is used solely for” one of the following purposes:
-
- To prevent, detect, and investigate security incidents;
-
- To resist malicious, deceptive, fraudulent, or illegal actions directed at the business;
-
- To protect consumers’ life and physical safety; or
-
- In many cases, to provide a good or service specifically requested by the consumer, provided that the business has no reasonable alternative method of processing (as further defined in the draft regulations).
Regardless of the final scope of the proposed automated decision-making opt-out right, a regulated business will likely be required to provide at least two opt-out methods. For businesses that interact with consumers online, one of these options must be providing an interactive form accessible via an opt-out link that is provided in the pre-use notice.
The draft regulations continue to propose an additional “access right” authorizing consumers to obtain information regarding the business’s use of automated decision-making technology and certain additional rules relating to behavioral advertising targeting consumers under 16 years old.
Given that the brief discussion above only scratches the surface of the potential impact of the CPPA’s new draft regulations to govern automated decision-making technologies, the CPPA’s future work on the topic is worth continued scrutiny. The scope of the CPPA’s final regulations on the topic remains uncertain. The far-reaching effects of agency’s final regulations, however, is guaranteed. Varnum is closely monitoring these developments and the emerging regulations to assist our clients with practical compliance strategies meeting their needs.