On November 27 2023, the California Privacy Protection Agency (“CPPA”) released the first draft of its automated decision-making (“ADMT”) rules (the “Draft Rules”) for those covered entities that must comply with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). This iteration of the Draft Rules is intended for discussion at the CPPA Board and will be open for public comments thereafter. The Draft Rules define ADMT as “any system, software, or process—including one derived from machine-learning, or other data-processing or artificial intelligence—that processes personal information and uses computation as a whole or part of a system to make or execute a decision or facilitate human decision-making.”

Proposed requirements for covered entities using ADMT

The Draft Rules propose requirements that covered entities must provide consumers with two or more designated methods for submitting requests to opt-out when they do any of the following activities:

• Make decisions producing legal or similarly significant effects concerning consumers that may result in access to, provision or denial of: financial or lending services; housing; insurance; education; enrollment or opportunity; criminal justice; employment or independent contracting opportunities or compensation; healthcare service; or essential goods or services.
• Profile consumers acting in their capacity as an employee, independent contractor, job applicant, or student. Such examples may include using:
  • Keystroke loggers
  • Productivity or attention monitors
  • Video or audio recording or live-streaming
  • Facial/speech recognition or detection
  • Automated emotion assessment
  • Location trackers
  • Speed trackers
  • Web-browsing, mobile-application, or social-media monitoring tools
• Profile consumers while they are in publicly accessible places including using:
  • Wi-Fi or Bluetooth tracking
  • Radio frequency identification
  • Drones
  • Video or audio recording or live-streaming
  • Facial/speech recognition or detection
  • Automated emotion assessment
  • Geo-fencing
  • Location trackers
  • License-plate recognition

Additional activities that could potentially also require opt-out opportunities for consumers include:

• profiling consumers for behavioral advertising;
• profiling consumers that are known to be under 16 years old; and
• processing consumer personal information to train automated decision-making technology.

Proposed requirements that would provide consumer protections

The Draft Rules also propose that covered entities draft Pre-use Notices containing a description of consumers’ rights to opt-out of the processing of their personal data by ADMT. This description should clearly state the scope of consumers’ rights to opt-out. If a covered entity is not required to provide consumers a right to opt-out because it relies on an exception to the requirement to do so (such as when a covered entity uses ADMT to protect the life and safety of consumers), the entity must inform consumers of that fact and identify the specific exception it is relying on.

The Draft Rules also propose that information on consumers’ rights to access information about covered entities’ use of ADMT in Pre-use Notices should include:

• A description of consumers’ rights to access information about that use of ADMT with respect to those consumers for processing; and
• A simple and easy-to-use method for consumers to obtain additional information about covered entities’ use of ADMT, such as a layered notice or hyperlink.

Next steps

As explained above, the Draft Rules are intended for the CPPA Board’s discussion and will be open for public comment at a yet-to-be-determined date. To prepare, covered entities that use ADMT should consider getting a head start on compliance by:

• Determining all areas for which they use ADMT as described above.
• Assessing their level of compliance with the Draft Rules so they are prepared to act when the Draft Rules are finalized.
• Providing comments on the Draft Rules once the public comment period begins.

Other Key CPPA Board Updates

Additionally, the CPPA Board meeting scheduled for December 8, 2023 will discuss previously-released proposed regulations regarding cybersecurity audits and risk assessments. The proposed risk assessment regulations include language for CPPA Board consideration requiring covered entities to conduct risk assessments when processing consumers’ personal information presents significant risk to consumers’ privacy. The proposed cybersecurity audit requirement includes language for CPPA Board consideration requiring covered entities to perform cybersecurity audits. The CPPA Board will consider options for thresholds a covered entity must meet to be subject to the cybersecurity audit requirement.

Paul Hastings’ Data Privacy and Cybersecurity practice regularly advises on compliance with state regulations on privacy and cybersecurity. If you have any questions concerning how the CPPA’s proposed rules for ADMT may affect your organization, please do not hesitate to contact the members of our team listed below.