On November 27, the California Privacy Protection Agency (CPPA) released draft regulations on automated decision-making technologies (ADMT) pursuant to the Consumer Privacy Protection Act, as amended (CCPA). The proposed ADMT framework clearly signals California’s intention to take the lead on state-level regulation of artificial intelligence (AI). CPPA Executive Director Ashkan Soltani went even further, telling TechCrunch that the draft proposal is “by far the most comprehensive and detailed set of regulations in the AI space.”
What is ADMT?
The CPPA’s proposal broadly defines ADMT as “any system, software, or process — including one derived from machine learning, statistics, other data processing or artificial intelligence — that processes personal information and uses computation as [a] whole or part of a system to make or execute a decision or facilitate human decision-making. ADMT includes profiling.” Thus, ADMT includes systems, software, or processes that make or execute decisions without human intervention, and those that “facilitate human decision-making.” This approach is aligned with the Colorado Privacy Act’s regulations, which encompass “human[-]involved automated processing.” By comparison, the EU General Data Protection Regulation prohibits fully automated decision-making without human intervention, except where a “legal basis” exists for such processing. In addition to AI, the proposed ADMT framework encompasses machine learning, statistical analysis, and other data processing activities, including profiling capabilities.
What do the draft regulations require?
Consistent with the CCPA, the draft ADMT regulations emphasize the importance of notice, transparency, and consumer choice for regulated businesses that process consumer personal information in ADMT systems.
Prior Notice. Businesses must notify consumers in advance regarding how their personal information will be processed and that opt-out rights are available. Moreover, businesses are required to make additional information readily available to consumers via hyperlink, including whether the ADMT has been evaluated for fairness or reliability and the outcomes of such assessments. There are limited exceptions to these disclosure requirements, such as when ADMT is used for security purposes to detect fraud or illegal activities or protect consumer safety or because the information is critical to the business’ provision of goods or services. If a business falls within an exception, it must further advise consumers of the reasons they will not be permitted to opt out of ADMT. In an important caveat, businesses that use ADMT for purposes of behavioral advertising are not entitled to claim an exception and must provide consumers with opt-out rights.
Opt-Out Process. Under the proposed regulations, opt-out rights extend to situations where ADMT is used to make legal determinations; to evaluate student, job applicant, and/or employee performance; and when consumers are in public places. In the employment context, ADMT may be implicated when employees are monitored by keystroke loggers, location trackers, or tools that monitor online activity. When businesses choose to deploy Wi-Fi, facial recognition software, or similar ADMT systems in brick-and-mortar establishments, arenas, malls, and similar venues, they are required to provide opt-out mechanisms.
Consumer Access Rights. Under the proposed regulations, consumers have the right to ask businesses what ADMT is used for and how decisions affecting them were made. Assuming businesses have verified the consumer’s identity, responses should include descriptions of ADMT logic, the potential range of outcomes, and how human decision-making affected the final outcome. Businesses are not required to respond to an access request if consumer safety may be compromised or the information is used for security purposes or to prevent fraud. Consumers have the right to appeal denials of their access requests to the CPPA and the California Attorney General’s Office, and businesses must provide links to the appropriate websites for registering complaints.
What’s next?
The CCPA Board is scheduled to open discussions regarding the draft ADMT regulations at its December 8 meeting, including critical topics such as how to deploy ADMT when consumers are children under 13 and consent must be obtained from parents or guardians and how to inform consumers of their rights in public spaces (along with viable opt-out mechanisms). The formal rulemaking process is slated to begin in early 2024. Upon final approval, the AMDT regulations may become the standard against which other state laws will be measured. When President Biden released an executive order regarding AI in October, he called for Congress to pass a comprehensive national privacy law. If the past decade is any indication and congressional delay on this essential legislation continues, state laws will assume an ever-increasing importance for U.S. businesses.