Hogan Lovells 2024 Election Impact and Congressional Outlook Report
15 November 2024
In March, the California Privacy Protection Agency (CPPA) board narrowly voted in favor of updated draft regulations on automated decisionmaking technology (ADMT) and risk assessments, along with proposed updates to existing privacy regulations. The CPPA did not initiate the formal rulemaking processes for the draft regulations. Instead, the board voted to solicit further public comments and authorized CPPA staff to prepare for the formal rulemaking process, which is anticipated to begin later this year. The proposed regulations contain key differences from prior drafts and may warrant additional comments from stakeholders.
The CPPA initially released draft ADMT regulations on November 27, 2023, seeking to define protections related to businesses’ use of these technologies, addressing California Consumer Privacy Act (CCPA) considerations. The draft included a right to opt out of, and access information about, businesses’ uses of ADMT. As noted in our prior blog post, the CPPA Board provided feedback on the proposed regulations at a board meeting in December 2023, and the agency expected to begin formal rulemaking in 2024. The CPPA Board met on March 8, 2024 to discuss and vote on the proposed ADMT and risk assessment regulations, along with the cybersecurity audit regulations discussed in a prior blog post.
The updated drafts of the ADMT and risk assessment regulations differ in many ways from the prior versions.
The CPPA’s updated draft ADMT regulations appear designed to clarify and expand the applicable triggers, organizing the provisions addressing core requirements in three sections: pre-use notice requirements, opt-out right requirements, and access right requirements. And there is a new section regarding physical or biological identification or profiling.
Profiling for Behavioral Advertising Is a Trigger: The CPPA has revised the triggers for pre-use notice, opt-out, and access requirements by adding the use of ADMT for “profiling a consumer for behavioral advertising” as a trigger.1 This significantly broadens the types of activities that may now be subject to these requirements.
Heightened Restrictions for Physical or Biological Identification or Profiling: The draft ADMT regulations propose new requirements for businesses that use “physical or biological identification or profiling" for a “significant decision” or for “extensive profiling.” Specifically, the draft regulations would require that businesses (1) conduct evaluations to ensure that such identification or profiling works as intended and does not discriminate based upon protected classes; and (2) implement accuracy and nondiscrimination safeguards.
Streamlined Pre-use Notice Requirements: The draft regulations would permit businesses to provide a “consolidated Pre-Use Notice” to consumers that will allow businesses to address the business’s use of ADMT more efficiently for multiple purposes, as well as its use of multiple ADMTs.
Limited ADMT Opt-Out Requests: Under the draft regulations, businesses would not be required to provide consumers with the ability to opt out of a business's use of ADMT for significant decisions if the business provides a method for consumers to appeal the decision to a qualified human reviewer with authority to overturn the decision. This “human appeal exception” would apply if the business satisfies certain specified requirements including designating a qualified human reviewer who must consider relevant information, clearly describing to the consumer how they can submit their appeal, and enabling the consumer to provide information for the reviewer to consider. The draft regulations also add an “evaluation exception” for admission, acceptance, or hiring decisions; allocation/assignment of work and compensation decisions; and work or educational profiling. For these purposes, businesses are not required to provide consumers with an opt-out if: (1) the ADMT is necessary to achieve, and used solely for, such purposes; (2) the business has evaluated the ADMT to ensure that it works as intended and does not discriminate based upon protected classes; and (3) the business has implemented accuracy and nondiscrimination safeguards.
Provided Requirements for ADMT Access Requests: The CPPA has restructured and revised the requirements regarding the information that a business must disclose in response to a consumer's access request. The draft regulations now contain general requirements for all access requests, and additional requirements for when a business uses ADMT to make an adverse significant decision.
The CPPA has also focused its attention on risk assessment requirements. Updates to the draft regulations include changes to the provisions regarding when businesses will need to conduct risk assessments, the requirements for such risk assessments, and the methods of submitting risk assessments to the CPPA.
When a Risk Assessment Is Required for ADMT or AI: The updated draft regulations clarify that risk assessments would be required when processing consumers’ personal information to train ADMT or AI that is capable of being used for: (i) a significant decision (such as determinations that can impact the provision or denial of financial services, employment opportunities, or healthcare); (ii) to establish individual identity; (iii) for physical or biological identification or profiling; (iv) for generating deepfakes; or (v) for operating generative models.
Clarification on Abridged Risk Assessment Submissions to the CPPA: The CPPA has streamlined what must be included in an abridged risk assessment, by removing the requirements to include: (i) a plain language explanation of the processing subject to the risk assessment; and (ii) a plain language explanation of why the negative impacts of the processing, as mitigated by safeguards, do or do not outweigh the benefits of the processing. The CPPA has also clarified that if a business previously conducted and submitted an abridged risk assessment to the CPPA for a given processing activity, and there were no material changes to that processing during a subsequent submission period, the business is not required to submit an updated risk assessment to the CPPA (though the business must still submit a certification of compliance to the CCPA).
In addition to the new requirements described above, the CPPA has proposed:
New and Revised Definitions: In addition to new requirements, the CPPA’s updated draft feature several new or revised definitions that correspond to these updates, including:
“Automated Decisionmaking Technology”: The CPPA has revised the definition to clarify that ADMT “execute[s] a decision, replace[s] human decisionmaking, or substantially facilitate[s] human decisionmaking” (emphasis added), with “substantially facilitate human decisionmaking” defined as using the output of the relevant technology as a “key factor” in a human’s decisionmaking. This new language helps to narrow the scope of the definition contained in the prior draft, which had defined ADMT (in relevant part) as technology that “make[s] or execute[s] a decision or facilitate[s] human decisionmaking.” The revised definition also now expressly excludes a variety of technologies from the definition of ADMT (such as web hosting and spreadsheets), unless these technologies are used for the purposes noted above or the business tries to use these technologies to circumvent the requirements in the Regulations.
“Behavioral Advertising”: The CPPA has added a definition of “behavioral advertising,” defined to mean “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity—both across businesses, distinctly-branded websites, applications, or services, and within the business’s own distinctly-branded websites, applications, or services.” The inclusion of first-party advertising activities within the definition is significant, as the use of ADMT to profile consumers for behavioral advertising triggers both the requirement to conduct a risk assessment as well as various requirements under the draft ADMT regulations.
“Physical or Biological Identification or Profiling”: The CPPA has added a definition of “physical or biological identification or profiling,” defined as “identifying or profiling a consumer using information that depicts or describes their physical or biological characteristics, or measurements of or relating to their body. The definition expressly includes “using biometric information, vocal intonation, facial expression, and gesture (e.g., to identify or infer emotion).” The CPPA also added new requirements for businesses that use physical or biological identification or profiling for certain purposes (discussed further below).
“Train Automated Decisionmaking Technology”: The CPPA has defined what it means to “train automated decisionmaking technology,” defined in relevant part as "the process through which automated decisionmaking technology or artificial intelligence discovers underlying patterns, learns a series of actions, or is taught to generate a desired output.” The definition includes several examples of what constitutes training, including “adjusting the parameters of an algorithm used for automated decisionmaking technology or artificial intelligence, improving the algorithm that determines how a machine-learning model learns, and iterating the datasets fed into automated decisionmaking technology or artificial intelligence.”
In addition to revising the new ADMT and risk assessment regulations that have been proposed, the CPPA proposed further edits to existing CCPA regulations. Notable proposed revisions include:
Revised definition of “Sensitive Personal Information”: The CPPA proposed updating the definition of “sensitive personal information” (SPI) to include personal information of “consumers that the business has actual knowledge are less than 16 years of age.”2 The March 2024 version also clarifies that “[a] business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age,” highlighting the continued focus on minors’ data.
Requirements for Methods of Submitting CCPA Requests: The updated proposed revisions would add new requirements for ensuring that CCPA rights requests mechanisms are “easy to execute.” Specifically, businesses that require consumers to fill out multiple or duplicative forms, or that impose unnecessary waiting periods between form submissions, may be in violation of the existing requirement that the process by which consumers submit CCPA requests be “easy to execute.” Additionally, businesses that require consumers to call a toll-free telephone number to submit a CCPA request must ensure that the individuals handling those calls have the knowledge and ability to process the consumer’s CCPA requests.
Service Providers and Contractors: The CPPA has proposed adding a requirement that any retention, use, or disclosure of personal information by a service provider or contractor (for the specific purposes permitted by section 7050) be “reasonably necessary and proportionate” for those purposes.
While the CPPA board voted 5-0 to advance the proposed revisions to the existing CCPA regulations, the draft risk assessment and ADMT regulations were advanced by a divided vote of 3-2. The two dissenting board members, Alastair Mactaggart and Lydia de la Torre, both expressed concern that the draft risk assessment and ADMT regulations may exceed the CPPA’s rulemaking authority under the CPPA, and that such an overreach could invite litigation. Mactaggart further noted that the draft regulations likely will not be very effective at advancing privacy interests.
The board also disagreed about the utility of advancing the draft regulations at this stage. The three members that voted for advancement favored soliciting input from external stakeholders immediately, arguing that further deliberation within the CPPA itself is unlikely to result in significant changes to the regulations. De la Torre, on the other hand, expressed concern that advancing the regulations now could be a waste of time and efforts if significant changes are made later down the line. And she voiced her concern that allowing consumers to opt out of the processing of their personal information for purposes training of ADMT and AI systems may result in biased systems, and may be in tension with Governor Newsom’s recent executive order on AI. Agency staff ultimately settled on seeking input from the Governor’s office on this point.
Currently, the board has voted only for staff to begin preparing the paperwork needed to initiate formal rulemaking and to keep revising the draft regulations based on feedback from the Board and the public.
The formal rulemaking process will likely not begin until July 2024 or later, and the regulations are unlikely to be finalized until 2025. Thus, companies operating in California and using ADMTs, including engaging in behavioral advertising, may want to consider submitting comments on these proposed edits to the proposed regulations.
Authored by W. James Denvil, Alyssa Golay, A.J. Santiago, and Rose Grover.