California Privacy Protection Agency (CPPA) Releases Draft Rules Regarding Automated Decisionmaking Technology under CCPA
Today, the California Privacy Protection Agency (“CPPA”) released draft rules pursuant to the California Consumer Privacy Act (“CCPA”) governing consumer access and opt out rights with respect to Automated Decisionmaking Technology (“ADMT”). This is an early example of the development of regulations around artificial intelligence (“AI”) in the United States. (NOTE: The draft regulations note at the outset that the CPPA has not yet started formal rulemaking for cybersecurity audits, risk assessments, or automated decisionmaking technology. The draft text released, after public comment and notice, is intended to facilitate board discussion and public participation, and is still subject to change. Certain portions of the draft regulations are marked “for board discussion”.) The draft regulations will be discussed at the next CPPA board meeting on December 8, 2023.
A few notes on key parts of the draft regulations:
I. Key Definitions.
- “Automated decision-making technology” is defined broadly – to include “any system, software, or process – including one derived from machine-learning, statistics, or other data-processing or artificial intelligence – that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.” Importantly, the definition expressly states that “[a]utomated decisionmaking technology includes profiling.” (Emphases added). This definition is broader than many definitions, in that it covers any computational system that “facilitates” human decisionmaking, thus potentially covering technologies that support human activities, and that are not fully automated.
- “Profiling” is defined to include “any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”
II. New Section 7017 – Pre-Use Notices.
- The draft regulations would add a new section 7017 to CCPA to require a business using automatic decisionmaking technology to provide consumers with a “Pre-Use Notice”. The notice shall inform consumers about the business’s use of automated decisionmaking technology and consumers’ rights to opt out of, and to access information about, the business’s use of automated decisionmaking technology.
- Such “Pre-Use Notices” must give a plain language explanation, and may not be described in generic terms such as “to improve our services”, which the regulation states is “insufficient for the consumer to understand the business’s proposed purpose for using the ADMT.
- Further, the notice must provide “a simple and easy-to-use method”, such as a hyperlink or layered notice, for the consumer to obtain additional information including another “plain language” explanation of: (a) the logic used in the ADMT, including key parameters affecting the output of the ADMT, and explanation about why these parameters are key; (b) the intended output (e.g., a numerical score of compatibility); (c) how the business plans to use the output for decisionmaking, including the role of any human involvement; and (d) whether the business’s use of the ADMT has been evaluated for validity, reliability, and fairness, and the outcome of any such evaluation.
- The business may also include a hyperlink directing the consumer to its unabridged risk assessment of the business’s use of the ADMT.
III. New Section 7030 – Opt Out Rights
- Businesses shall provide consumers with the ability to opt out of uses of ADMT:
- For a decision that produces legal or similarly significant effects” concerning a consumer;
- Profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student. For examples this includes profiling an employee using keystroke loggers, productivity or attention monitors, recording or live-streaming, facial- or speech-recognition, location trackers, web-browsing, mobile-application, or social media monitoring tools, and more;
- Profiling consumers while they are in a publicly accessible place, for example, through Wi-Fi or Bluetooth tracking, radio frequency identification, drones, A/V recording or live-streaming, facial- or speech- recognition, automated emotion assessment, geofencing, locations trackers, or license-plate recognition.
- The draft regulations include additional options for board discussion, including opt out rights for business that:
- Profiles a consumer for behavioral advertising;
- Profiling a consumer that the business has actual knowledge is under age of 16; and
- Processing the personal information of consumers to train ADMT.
- A business using ADMT for the above purposes shall provide two (2) or more designated methods for submitting requests to opt out of the use of ADMT. When determining which methods to use, it shall consider the methods by which it interacts with consumers, uses the ADMT, and ease of use by the consumer.
IV. Exceptions to Opt Out Rights
- A business would not be required to provide the opt out right of ADMT if the use is both: (a) consistent with Regulation 7002 and (b) the business’s use of that ADMT is necessary to achieve, and is used solely for an explicitly listed permissible purpose (e.g., preventing security incidents, protect life and physical safety of consumers, resisting fraudulent actions directed at the business, providing a specifically requested good or service where the business has no reasonable alternative method of processing.
- If a business is profiling a consumer for behavioral advertising, the business can rely on the above exceptions, and shall be required to provide the opt-out right.
V. NEW Section 7031 – Request to Access Information about Use of ADMT
- If a business has made a decision resulting in the denial of goods or services, the business shall notify the consumer of the following:
- That the business made a decision with respect to the consumer;That the consumer has a right to access information about the business’s use of that ADMT.How the consumer can exercise their access right; and
- That the consumer can file a complaint with the CPPA and the Attorney General. The business shall provide links to the complaint forms on their respective websites.
- If the business cannot verify the identity of the requestor, the business shall not disclose the information and shall inform the requestor that it cannot verify their identity.
- If a business denies a request because of a conflict with federal or state law, or an exception to the CCPA, the business shall inform the requestor and explain the basis for denial, unless prohibited from doing so by law. If denied only in part, the business shall disclose the other information sought (i.e., the information not being denied) by the consumer.
- A business shall use reasonable security measures when transmitting the requested information to the consumer.
- In responding to the request to access, the business shall provide a plain language explanation of the following information to the consumer:
- In accordance with the requirements in Section 7030(o), the business shall provide instructions regarding the methods by which consumers can submit a complain regarding the business’s use of ADMT, including a complaint about a specific decision and how the decision was or will be made with respect to the consumers. The business shall also explain that the consumer can file a complaint with the CPPA and the Attorney General and provide links to complaint forms.
- If a business’s use of the ADMT is solely as set forth in Section 7030(m), the business shall not be required to provide the ability to opt-out or an opt-out link or include information about this right in response to a request to access.
- If a business’s use of the ADMT is solely as set forth in section 7030, subsections (m)(1)–(3), the business shall not be required to disclose information in its response to a request to access that would compromise its processing of personal information for those purposes.
- A service provider or contractor shall provide assistance to the business in responding to a verifiable consumer request to access, including by providing the business with the consumer’s personal information it has in its possession that it collected pursuant to their written contract with the business, or by enabling the business to access that personal information.
Special Rules Regarding Consumers Under 16 Years of Age
In conjunction with the Section 7030 subsection (b)(4)(A), the draft regulations offer for consideration some special rules via amendments to existing CPPA regulations, regarding profiling of minors for behavioral advertising:
Amendment to Section 7070 – Consumers Less Than 13 Year of Age.
- A business that has actual knowledge that it profiles a consumer less than 13 years old for behavioral advertising shall establish, document, and comply with a reasonable method for a parent / guardian to opt-in to the use of profiling for behavioral advertising, and for determining that the person is indeed the child’s parent or guardian. This consent to the profiling is in addition to any verifiable parental consent required under COPPA.
- Methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian include those set forth in subsection (a)(2). (Note: See existing CCPA Regulation 7070(a)(2), which includes signed consent forms, online payment system confirmation, video-conference or other communication with trained personnel, government identification, etc.)
- When a business receives consent to profiling for behavioral advertising pursuant to subsection (c), the business shall inform the parent or guardian of the right to opt out of profiling for behavioral advertising and of the process for doing so on behalf of their child pursuant to section 7030.
Amendment to Section 7071 – Consumers at Least 13 Years of Age and Less Than 16 Years of Age.
- A business that has actual knowledge that it profiles a consumer at least 13 years of age and less than 16 years of age for behavioral advertising shall establish, document, and comply with a reasonable process for allowing such consumers to opt-in to the use of profiling for behavioral advertising.
- When a business receives a request to opt-in to the profiling of a consumer at least 13 years of age and less than 16 years of age for behavioral advertising, the business shall inform the consumer of their ongoing right to opt-out of the use of profiling for behavioral advertising at any point in the future and of the process for doing so pursuant to section 7030.
The draft regulations may be found here.
Preliminary written comments were solicited and accepted from February 10, 2023 to March 27, 2023. You may view the comments here.