One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
The Board of the California Privacy Protection Agency (CPPA) met on December 8, 2023, with the primary purpose of discussing new proposed regulations that can affect businesses across the globe. The regulations covered three main areas: risk assessments, cybersecurity audits, and automated decisionmaking technology (ADMT).
While all of these regulations will likely have a profound impact on future compliance with the state’s landmark privacy legislation, the California Consumer Privacy Act (CCPA), the proposed rules on ADMT have generated particular interest because they go much farther than many were expecting.
Here we'll explore what that means.
The CPPA was created when state voters approved the California Privacy Rights Act in 2020, which also gave the Agency broad rule-making authority. The legislation identified several areas of compliance for which the CPPA must adopt regulations. One of these areas is “automated decisionmaking, including profiling,” for which regulations must define consumers’ access and opt-out rights.
With little in the way of specific guidance from the statute, the CPPA has a lot of leeway to create its own rules. On top of this, the CCPA’s exemption for employee data expired at the beginning of 2023, meaning the Agency has to consider workplace privacy as well.
The proposed ADMT regulations essentially open up an entire new area of CCPA compliance, so there is a lot information to take in. Here are the essential details.
There are two definitions that are key to understanding the breadth of the proposed regulations: “automated decisionmaking technology” and “profiling.”
Automated decisionmaking technology
Any system, software, or process that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking. Automated decisionmaking technology includes profiling.
Profiling
Any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Both of these definitions are very open-ended. For example, a definition of ADMT as “any software that uses computation as part of a system to facilitate human decisionmaking” has lead some to speculate that a spreadsheet could be considered ADMT.
The broadness of these definitions is somewhat trimmed back elsewhere in the regulations. That is mostly because compliance obligations would only be imposed on businesses when they use ADMT for certain purposes. These purposes are:
If ADMT is used for any of the purposes listed above, it would trigger significant compliance obligations:
The proposed regulations are far from finalized. First, the CPPA Board would have to approve the language, then open them up to public comment, possibly make changes based on feedback, and ultimately send the proposed rules for approval by the Office of Administrative Law. The Agency also has yet to prepare an economic impact assessment, which is a requirement for new regulations. Even if the proposed rules were to undergo no changes and progress at a quick pace, they probably wouldn’t be in force until at least 2025.
However, there is reason to think that there will be significant revisions to the ADMT rules before they move forward. Several of the Board members pushed back against the draft language for being overbroad, especially with regard to the rules for profiling employees. As one Board member put it, “The CCPA is a privacy law, not an HR law.” A new version of the rules will be prepared with input from individual Board members, and should be presented at the next meeting. The next round of changes should provide insight into the Agency’s thinking on the matter.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.