In a bid to ensure consumer privacy and data protection, the California Privacy Protection Agency (CPPA) has released a draft of proposed regulations to govern automated decision-making technologies (ADMT).
According to CPPA, the regulations define important new protections related to businesses’ use of those technologies. The proposed regulations would implement consumers’ rights to opt out of and access information about businesses’ uses of ADMT, as provided for by the California Consumer Privacy Act (CCPA).
The state agency’s board will provide feedback on these proposed regulations at its December board meeting, and CPPA said it expects to begin a formal rulemaking next year.
“Once again, California is taking the lead to support privacy-protective innovation in the use of emerging technologies, including those that leverage artificial intelligence,” said Vinhcent Le, a member of the CPPA board and its New Rules Subcommittee that drafted the proposed regulations. “These draft regulations support the responsible use of automated decision-making while providing appropriate guardrails with respect to privacy, including employees’ and children’s privacy.”
In a press release, CPPA explained that the draft regulations outline how privacy provisions in the CPPA could be implemented. Specifically, the draft regulations propose rules that would impact businesses using ADMT in several ways, including:
- In decisions that tend to have the most significant impacts on consumers’ lives, including decisions about their employment or compensation.
- Profiling an employee, contractor, applicant, or student. This would include using a keystroke logger to analyze their performance and tracking their location.
- Profiling consumers in publicly accessible places, such as shopping malls, medical offices, and stadiums. This would include using facial-recognition technology or automated emotion assessment to analyze consumers’ behavior.
- Profiling a consumer for behavioral advertising. This would include evaluating consumers’ personal preferences and interests to display advertisements to them.
The draft includes additional consumer protection measures that would govern the use of a consumer’s personal information to train ADMT technologies.
For the uses of ADMT specified in the draft, the regulations would provide consumers with the following protections:
- Businesses would be required to provide “pre-use notices” to inform consumers about how the business intends to use ADMT, so that the consumer can decide whether to opt-out or to proceed, and whether to access more information.
- The ability to opt-out of the business’s use of ADMT, except in certain cases, such as to protect life and safety.
- The ability to access more information about how the business used ADMT to make a decision about the consumer.
CPPA said the draft requirements would “work in tandem” with risk assessment requirements that the board is also considering at its December meeting. “Together, these proposed frameworks can provide consumers with control over their personal information while ensuring that automated decision-making technologies, including those made from artificial intelligence, are used with privacy in mind and in design,” CPPA said.
