California Privacy Protection Agency Publishes Draft Regulations on Automated Decisionmaking Technology

by Hunton Andrews Kurth LLP

photo of the author

On November 27, 2023, the California Privacy Protection Agency (“CPPA”) published its draft regulations on automated decisionmaking technology (“ADMT”). The regulations propose a broad definition for ADMT that includes “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.” ADMT also would include profiling, which would mean the “automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

The proposed regulations would require businesses to provide a “Pre-use Notice,” which would inform individuals about a business’s use of ADMT and the right to opt-out of or access information about the ADMT in use. The Pre-use Notice must also explain the purpose behind using the ADMT in specific terms. In addition to the notice requirement, the proposed regulations would also allow individuals to opt out of uses of ADMT for decisions that produce legal or similarly significant effects or that involve profiling an individual (1) in their capacity as an employee, student, job applicant, or independent contractor; or (2) in a publicly accessible place. Under the proposed regulations, individuals also can exercise a right to access information about a business’s use of ADMT. Feedback by the CPPA Board on the proposed regulations is anticipated at the upcoming Board meeting. The CPPA is expected to begin formal rulemaking on the draft regulations in 2024.

This post first appeared on the firm’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).