California Privacy Protection Agency to Consider Draft Rules Putting Guardrails on Automated Decision-Making, Including AI: Pre-Use Disclosures, Opt-Out Options, Access, And Appeal Rights
The California Privacy Protection Agency (CPPA) yesterday released long-awaited draft rules on automated decision-making in several areas of significance, marking a significant step in shaping some of the most impactful artificial intelligence laws at the state level in the U.S. The rules would require businesses to provide prior notice, opt-out, and access options to consumers whose data is being used. The draft also leaves up for the CPPA Board’s discussion how businesses should approach profiling children under 16 years old and how consumer information should be used in machine learning and training other automated decision-making technology.
The CPPA has not yet started the formal rulemaking process on this matter. The draft rules are still in their early form and are intended to facilitate the CPPA Board discussion and public participation and are subject to change. Nevertheless, the draft offers an initial glimpse into the CPPA’s perspective on these novel and substantial issues.
The proposed rules define “Automated decisionmaking technology” as any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making. Automated decision-making technology includes profiling.
“Profiling” is defined as any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Pre-Use Notice
The proposed rules state that businesses using personal information in their automated decision-making systems must transparently communicate to consumers both the fact of utilization and their rights to opt out and to access information about the business’s automated decision-making practices. The disclosure would need to contain, among other things, an explanation of the logic used in the automated decision-making technology, including the key parameters that affect its output and why these parameters are key. Given the potential significant impact of automated decisions in certain fields, businesses must also specify whether the technology underwent reliability or fairness assessments and their results.
Right to Opt-Out
The proposal explicitly states various situations in which consumers have the option to opt out of being the object of automated decision-making. Businesses would need to facilitate opting-out of profiling of employees, contractors, job applicants or students as well as any profiling taking place in a publicly accessible place (e.g., shopping malls). Businesses would also need to provide opt-out mechanisms if the automated decisions result in access to, or the provision or denial of:
- Financial or lending services, housing, insurance
- Employment or independent contracting opportunities or compensation
- Education enrollment or opportunity
- Healthcare services
- Criminal justice
- Essential goods or services.
Exceptions to opt-out requirements include the following automated decision-making use cases:
- Prevention of security incidents that compromise the personal information
- Restriction of fraudulent and illegal actions against the business
- Consumers’ life and physical safety protection
- Provision of goods/services specifically requested by the consumer (when there is no reasonable alternative).
The exceptions would not apply to behavioral (targeted) advertising.
Access Rights
The draft rules provide that businesses would be required to provide consumers with the right to access information about how they use automated decision-making technology. Moreover, if the business has made a decision that results in the denial of goods or services with respect to the consumer (e.g.,
denied the consumer an employment opportunity or lowered their compensation), the business would have to notify the consumer of this fact, providing them with the right to file a complaint with the CPPA and the California Attorney General.
The CPPA Board is scheduled to discuss the draft at its December 8 public meeting, along with a staff presentation on the regulations. The CCPA Board is unlikely to begin a formal rulemaking process at this time but may indicate potential future direction.
We are closely monitoring the developments in AI and related emerging technologies’ regulation on state and federal levels and will inform you of opportunities to submit your comments and make your voice heard in the rulemaking process.
NEED HELP WITH PRIVACY LAW COMPLIANCE AND AI GOVERNANCE?
In our Artificial Intelligence (AI) practice, we leverage our established subject matter expertise in data privacy, intellectual property law, and regulatory compliance with our proven ability to successfully navigate the ever developing and uncertain technology law landscapes. Our attorney ranks include publishing experts, particularly in the field of legal matters related to AI, whose publications got international traction. We closely follow regulatory and case law developments to guide businesses, developers, and investors on AI-related legal compliance and legal risk mitigation.
CONTACT US NOW, WE ARE STANDING BY TO GUIDE YOUR COMPANY’S COMPLIANCE EFFORTS
Jonathan S. Marashlian – Tel: 703-714-1313 / E-mail: jsm@CommLawGroup.com
Michael Donahue — Tel: 703-714-1319 / E-mail: mpd@CommLawGroup.com
Linda McReynolds – Tel: 703-714-1318 / E-mail: lgm@CommLawGroup.com
Diana Bikbaeva – Tel: 703-663-6757 / E-mail: dab@CommLawGroup.com