The Board of the California Privacy Protection Agency (CPPA) met on December 8, 2023, with the primary purpose of discussing new proposed regulations that can affect businesses across the globe. The regulations covered three main areas: risk assessments, cybersecurity audits, and automated decisionmaking technology (ADMT).

While all of these regulations will likely have a profound impact on future compliance with the state’s landmark privacy legislation, the California Consumer Privacy Act (CCPA), the proposed rules on ADMT have generated particular interest because they go much farther than many were expecting.

Here we'll explore what that means.

Background

The CPPA was created when state voters approved the California Privacy Rights Act in 2020, which also gave the Agency broad rule-making authority. The legislation identified several areas of compliance for which the CPPA must adopt regulations. One of these areas is “automated decisionmaking, including profiling,” for which regulations must define consumers’ access and opt-out rights.

With little in the way of specific guidance from the statute, the CPPA has a lot of leeway to create its own rules. On top of this, the CCPA’s exemption for employee data expired at the beginning of 2023, meaning the Agency has to consider workplace privacy as well.

The Current Proposal

The proposed ADMT regulations essentially open up an entire new area of CCPA compliance, so there is a lot information to take in. Here are the essential details.

Definitions

There are two definitions that are key to understanding the breadth of the proposed regulations: “automated decisionmaking technology” and “profiling.”

Automated decisionmaking technology
Any system, software, or process that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking. Automated decisionmaking technology includes profiling.

Profiling
Any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Both of these definitions are very open-ended. For example, a definition of ADMT as “any software that uses computation as part of a system to facilitate human decisionmaking” has lead some to speculate that a spreadsheet could be considered ADMT.

When the Rules Apply

The broadness of these definitions is somewhat trimmed back elsewhere in the regulations. That is mostly because compliance obligations would only be imposed on businesses when they use ADMT for certain purposes. These purposes are:

1. For a decision that produces legal or similarly significant effects concerning a consumer
2. Profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student
3. Profiling a consumer while they are in a publicly accessible place
4. Profiling a consumer for behavioral advertising
5. Profiling a consumer that the business has actual knowledge is under the age of 16
6. Processing the personal information of consumers to train ADMT

Requirements for Businesses Using ADMT

If ADMT is used for any of the purposes listed above, it would trigger significant compliance obligations:

• Risk Assessments - The use of ADMT would be considered a high-risk activity, which means businesses would have to complete risk assessments for the processing. The Agency is still considering regulations for what these assessments will look like, but they are likely to go beyond what is required in other states with privacy legislation.

• Pre-Use Notice - Businesses will have to provide a substantial privacy notice specific to their use of ADMT. Among other information, the pre-use notices must include:

• • The logic of the ADMT
  • Its intended output
  • How the business plans to use the output to make a decision
  • Whether the ADMT has been been evaluated for validity, reliability, and fairness
• Opt-Out Rights - If a consumer opts out, the business must cease processing their personal information with that ADMT, as well as delete the relevant personal information. There are exceptions to the opt-out right if the ADMT is used for:
  • Security
  • Fraud prevention
  • Safety
  • To provide a requested good or service (with limitations)

• Access Rights - Upon request, businesses must provide consumers with detailed information about the ADMT, including:

• The business’s purpose for using the ADMT
• The output of the ADMT for that specific consumer
• The range of possible outputs
• Any decision made using the ADMT
• How the ADMT worked in this particular case
• How the consumer can exercise their CCPA rights and make a complaint to the CPPA

What Happens Next?

The proposed regulations are far from finalized. First, the CPPA Board would have to approve the language, then open them up to public comment, possibly make changes based on feedback, and ultimately send the proposed rules for approval by the Office of Administrative Law. The Agency also has yet to prepare an economic impact assessment, which is a requirement for new regulations. Even if the proposed rules were to undergo no changes and progress at a quick pace, they probably wouldn’t be in force until at least 2025.

However, there is reason to think that there will be significant revisions to the ADMT rules before they move forward. Several of the Board members pushed back against the draft language for being overbroad, especially with regard to the rules for profiling employees. As one Board member put it, “The CCPA is a privacy law, not an HR law.” A new version of the rules will be prepared with input from individual Board members, and should be presented at the next meeting. The next round of changes should provide insight into the Agency’s thinking on the matter.

‍