Eanet, PC Eanet, PC

Automated Decision-Making Technology Rules Proposed

Automated Decision-Making Technology Rules Proposed

Last month, the California Privacy Protection Agency (CPPA), the state’s privacy agency, proposed regulations concerning automated decision-making technology (ADT), risk assessments, and cybersecurity. These regulations, if adopted, would create heavy burdens on many employers regarding their California applicants, employees, or independent contractors.

Definitions

The current draft automated decision-making technology regulations, released November 27, 2023, define “automated decision-making technology” as: 

[A]ny system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making. It also includes profiling. 

“Profiling” is defined as:

[A]ny form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

A “decision that produces legal or similarly significant effects concerning a consumer” means

[A] decision that results in access to, or the provision or denial of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.

Finally, a publicly accessible place” is defined as a place that is open to or serves the public. 

Requirements for Businesses

Pre-Use Notice. The current draft automated decision-making technology regulations state that businesses would be required to provide a pre-use notice to consumers about the business’ use of ADT, the consumers right to opt out, and to access information about how the business uses ADT. Such pre-use notice must:

  1. Comply with section 7003; 
  2. Be made readily available where consumers will encounter it;
  3. Be provided in the manner in which the business primarily interacts with the consumer, before the business processes the consumer’s personal information using the automated decision-making technology; and
  4. Include the following:
    • a. A plain language explanation of the purpose for which the business proposes to use the automated decision-making technology.
    • b. A description of the consumer’s right to opt-out of the business’s use of the automated decision-making technology for the processing activities set forth in § 7030(b), and how the consumer can submit a request to opt-out of the business’s use of the automated decision-making technology.
    • c. A description of the consumer’s right to access information about the business’s use of the automated decision-making technology;
    • d. A simple and easy-to-use method (e.g., a layered notice or hyperlink) by which the consumer can obtain additional information about the business’s use of the automated decision-making technology. 

Opt-Out Option. The draft automated decision-making technology regulations also state that businesses must provide an option to opt out of the following uses of ADT:

  • Making a decision that produces legal or similarly significant effects concerning a consumer.
  • Profiling a consumer who’s acting as an employee, independent contractor, job applicant or student (like profiling employees using keystroke loggers).
  • Profiling a consumer while they’re in a publicly accessible place (such as using Wi-Fi, Bluetooth tracking, drones or geolocation to profile consumers in public).
  • Profiling a consumer for behavioral advertising (including opt-ins for consumers under 16).
  • Profiling a consumer that the business has actual knowledge of is under age 16.
  • Processing personal information of consumers to train ADT.

The regulations have a number of exceptions to the opt-out rights. They include when ADT is used for the prevention of security incidents, fraud or illegal actions; protecting consumer safety; and when there’s no reasonable alternative for processing.

The rules also state that consumers have a right to access information about the business’s use of automated decision-making technology.

Risk Assessment. Every business whose processing of consumers’ personal information  presents a “significant risk” to consumers’ privacy must conduct a risk assessment before starting that processing. The proposed rules provide that he following processing activities present significant risks to consumers’ privacy:

  • Selling or sharing personal information. 
  • Processing sensitive personal information.
  • Using automated decision-making technology for a significant decision concerning a consumer or for extensive profiling.
  • Processing the personal information of consumers to train automated decision-making technology or artificial intelligence that is capable of being used for any of the following: 
    • For a significant decision concerning a consumer; 
    • To establish individual identity; 
    • For physical or biological identification or profiling;  
    • For the generation of a deepfake; or 
    • Illustrative examples of when a business must conduct a risk assessment:  

The business must conduct a risk assessment to determine whether the risks to consumers’ privacy from the processing of personal information outweigh the benefits to the consumer, the business, other stakeholders, and the public from that processing. 

The business must specifically identify its purpose for processing consumers’ personal information; the categories of personal information to be processed and whether they include sensitive personal information; operational elements; the benefits and the negative impacts to the business, the consumer, other stakeholders, and the public; the safeguards implemented to address the negative impacts; and other specifics, such as the form and deadlines for submitting the assessment.

Automated decision-making technology processing is prohibited if the risks to consumers’ privacy outweigh the benefits. Risk assessments must be submitted to the California Privacy Protection Agency.

Cybersecurity Audit. This requirement would apply to businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security” to perform annual cybersecurity audits, “including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent.”

Those who must perform a cybersecurity audit must do so on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information include:

  • the size and complexity of the business and the nature; and 
  • the scope of processing activities.

Bottom Line

The California Privacy Protection Agency determined that the draft automated decision-making technology regulations are not ready for formal rulemaking. The draft rules were returned to the New CPRA Rules Subcommittee for further revision. 

As a result, employers need not implement the rules at this time. However, employers should be prepared as the final automated decision-making technology regulations are likely to be quite similar to these draft discussion regulations. 

Eanet, PC will monitor the process and alert you to the announcement of the final rules.

Categories: 
Related Posts
  • Court of Appeals Affirms No Award of Noneconomic Damages Read More
  • California Passes New Law on Unlawful Discrimination and Paid Sick Days Read More
  • New California Employment Laws for 2025 Read More
/