CPPA AI Rules Cast Wide Net for Automated Decisionmaking Regulation
Published 04/26/2024
Originally published by Truyo.
Written by Dan Clarke.
At the end of 2023, the California Privacy Protection Agency (CPPA) unveiled draft regulations aimed at automated decision-making technology (ADMT), including artificial intelligence (AI), to bolster consumer protections in the state. This step underscored California’s commitment to individual privacy rights and represents a critical development in the ever-evolving landscape of data governance and AI ethics.
At the most recent CPPA meeting, the Agency, in what can be described as a spirited discussion, considered the ramifications of the draft ADMT regulations, including some publicly contentious elements in the draft rules. Seemingly most contentious in the CPPA draft rules is the consent to train automated decisionmaking technology, which may get overturned in the long run. The bulk of the rules are, as expected, consumer-centric keeping notice and opt-out consumer rights at the forefront. Let’s take a look at the key elements of the draft rules as they stand today.
Defining the Scope
The draft regulations are general and intended to encompass any system, software, or process that processes personal information and uses computation to make or facilitate decisions. This covers various technologies, including those derived from machine learning, statistics, or other data-processing methods. is the inclusion of profiling, defined as any form of automated processing to evaluate personal aspects of individuals, such as their behaviors, whereabouts, economic situation, or health.
Requirements in the Original CPPA Draft Rules
Pre-Use Notice: Businesses employing ADMT must provide consumers with advance notice detailing the technology’s purpose, decision-making process, and their rights to opt out and access information about its use. This notice must be presented in plain language and include comprehensive information on the logic, parameters, and testing of the ADMT for validity, reliability, and fairness.
Right to Opt Out: Consumers have the right to opt out of decisions made by ADMT that produce legal or similarly significant effects, such as employment opportunities or compensation. Businesses must offer multiple opt-out methods tailored to their consumer interactions, ensuring accessibility and ease of use.
Updates to the CPPA Draft Rules
Since November, the CPPA has adjusted the draft rules, as is the usual trajectory for formulating regulations since their inception. We anticipate further modifications to as all draft rules are subject to change pending public feedback and the formal rulemaking process. Here is the current state of the notice provision and opt-out requirement.
Requires providing specialized notice, plus opt-out and access rights under ADMT for:
- decisions that produce legal or similarly significant effects
- profile workers, job applicants & student
- profile individuals “in a publicly accessible place”
- profile consumers related to “behavioral advertising”
- profile anyone under 16 years old for any purpose
- utilize PI information to train ADMT
Pre-use notice includes informing consumers of the right to opt-out and “plain language” explanation of ADMT’s logic, key parameters, and if it has been tested (with results) for “validity, reliability, and fairness.”
Rights:
- Opt-out requires 2 methodologies (not just cookies); there is disagreement on whether this includes employees
- Information on ADMT use for specific consumers and “plain language” explanation of purpose, output (consumer specific), any impacted decisions (pre or post-use) with full range of potential outputs
- additional CPRA rights
Adverse decisions/actions require further explanation and post-use notice which is unique to the CPPA draft rules.
Implications for Employers
Employers in California should pay close attention to these draft regulations, as they significantly impact employment practices and policies. Job applicants and employees must be informed if employment decisions are based on ADMT, and they retain the rights to access information and opt out of profiling activities. Additionally, businesses must conduct risk assessments to mitigate privacy risks associated with ADMT usage.
Looking Ahead
While these draft regulations signal California’s proactive approach to regulating ADMT and protecting consumer privacy, we may see an evolution as stakeholders engage in the ongoing dialogue to shape the final regulations. We will keep you apprised of additional information about the CPPA ADMT draft rules as it becomes available.
About the Author
Dan Clarke is a former Intel® executive with numerous leadership roles who was pulled into the privacy space after a call from Intel® anticipating GDPR’s implementation. Dan’s privacy expertise comes from developing the Truyo platform, which automates compliance with current and emerging privacy laws for enterprise-level companies. Clarke is a privacy thought leader involved in Arizona, Texas, and federal privacy legislation. Dan helped Truyo step into the AI Governance realm by developing the first comprehensive AI Governance Platform and creating a 5 Steps to Defensible AI Governance workshop that's been conducted with enterprise companies across the United States.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
CSA Community Spotlight: Nerding Out About Security with CISO Alexander Getsin
Published: 11/21/2024