The California Privacy Protection Agency (CPPA) recently proposed a new regulatory framework for Automated Decisionmaking Technology (ADMT) that, among other things, would require comprehensive disclosures and an opt-out right for Consumers (defined as a California resident) regarding the use of any ADMT, with limited exceptions. The term ADMT includes AI technology but also extends to any computational technique used to make a decision or assist a human in making a decision regarding a Consumer. If regulations consistent with this framework are adopted, it could impose significant new requirements on companies subject to the California Consumer Protection Act of 2018 (CPPA).

Applicability

The framework would apply to any Business, as defined under the CCPA, using ADMT to: (1) make a decision that produces a legal or similarly significant effect concerning a Consumer, (2) profiling a Consumer acting in their capacity as an employee, independent contractor, job applicant, or student, and (3) profiling a Consumer while they are in a publicly accessible place.

Here, the term "ADMT" is defined broadly, and includes systems that process personal information to make or execute a decision or that assist human decisionmakers. While this term includes AI systems, it is not limited only to AI systems. "Profiling" also carries a broad definition and includes evaluating a natural person to analyze or predict aspects of a person's job performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

The CPPA’s Rules Subcommittee has also provided three additional circumstances where the rules would apply for consideration by the CPPA Board, including profiling where the Business has actual knowledge that the Consumer is under the age of 16 or processing personal information of Consumers to train ADMT regardless of whether the ADMT is used to make a decision regarding the Consumer.

As a result, these rules would apply to a wide range of industries, including behavioral advertising, insurance, employment decisions, mortgage, lending, and credit decisions, among others.

New Requirements for the Use of ADMT

The framework provides Consumers with three new substantive rights: (1) a right to know that ADMT is being used prior to the use of the technology, (2) a right to opt-out of the use of ADMT as applied to them (subject to certain exceptions), and (3) a right to access information about how the ADMT was used to make a decision regarding them.

Right to Pre-Use Notice

Prior to using ADMT, Businesses must give prior notice to Consumers that an ADMT will be used to process their personal information. The pre-use notice must include a specific explanation of the purpose of the ADMT, how a Consumer may opt out of the ADMT (or a specific explanation of why the Consumer may not opt out), and how the Consumer may obtain additional information about the ADMT. The additional information must include:

• The logic used in the ADMT, including key parameters affecting the output and an explanation of why these parameters are key;
• the intended output of the ADMT, e.g. a numerical score of compatibility;
• how the business plans to use the output to make a decision, including the role of any human involvement; and
• whether the ADMT has been evaluated for validity, reliability, fairness, and the outcome of any such evaluation.

Right to Opt-Out

Companies must also give Consumers a means to opt out of the use of ADMT. This must include a method like the manner that the Business ordinarily uses to communicate with Consumers plus one additional method (such as by mail or via toll-free phone number). The rules provide that cookie banners are expressly not an adequate means of providing an opt-out right. Once a business receives an opt-out request, it must provide the Consumer a way of verifying that the request has been received and may not ask for permission to use ADMT for at least 12 months after receiving the opt-out request.

Importantly, Businesses need not provide an opt out right to Consumers if the ADMT is used to prevent, detect, or investigate cybersecurity incidents, to resist malicious, deceptive, fraudulent, or illegal actions, or to protect the life and physical safety of Consumer individuals.

Businesses also do not need to provide an opt-out right if the ADMT is necessary to provide goods or services specifically requested by the Consumer and there is no reasonable alternative method of processing. Any Business relying on this exception must be prepared to show, within five (5) days of a request from the CPPA, that there is no reasonable alternative method of processing because: (1) it would be futile to do so given the volume of data processed; (2) it would not result in processing that was as valid, reliable, and fair as the ADMT; or (3) developing an alternative method would impose extreme hardship on the Business and that there is no alternative method of processing used in the Business's industry or similar industries. This exception, though, is not available to preclude an opt-out right for behavioral advertising.

Right to Access

Finally, the framework provides that Consumers have a right to access information about the Business's use of ADMT. This right of access consists of two notices. First, if an ADMT is used and results in an adverse decision against the Consumer, the Business must provide a notice that a decision was made using ADMT, that the Consumer has a right to access information about that ADMT, instructions for accessing that information, and notifying the Consumer that they can submit a complaint to the CPPA or the California Attorney General.

Second, regardless of whether an adverse decision was made, a Consumer may request information regarding how a Business uses ADMT. The Business must respond to any such request with information that includes:

• The business purpose of the ADMT in specific terms,
• the output of the ADMT for the requesting Consumer (if any),
• how the Business used or will use the output to make a decision with respect for the Consumer, including any factors other than the ADMT output to make the decision, the role of any human involvement in the decision making process, and whether the ADMT has been evaluated for validity, reliability, and fairness, as well as the result of any such evaluation,
• how the ADMT worked with respect to the Consumer, including how any assumptions or limitations were applied, and what the key parameters were that affected the output of the technology,
• a simple and easy-to-use method to permit the Consumer to obtain the range of possible outputs and aggregate output statistics, and
•  instructions for how the Consumer can exercise their rights under the CCPA, including submitting a complaint to the CPPA or California Attorney General.

Conclusion

While this framework is only an initial recommendation from the CPPA Rules Subcommittee, and is not yet a formal rulemaking, they are a clear indication of the agency’s direction in this rulemaking to provide a new comprehensive set of Consumer rights surrounding the use of ADMT, including the use of AI technologies. Businesses subject to the CCPA should begin proactively reviewing and assessing their AI and other ADMT governance programs to determine what steps will be necessary to comply with these forthcoming regulatory requirements, including adjustments to business workflows and documenting current uses of ADMT.  The CPPA Board will consider these recommendations at its December 8 Public Meeting, and intends to begin the formal rulemaking process next year. We at Baker Botts will continue to monitor these developments.

If you would like to discuss your organization’s approach to AI and ADMT governance and CPPA compliance, please contact a member of Baker Bott’s Privacy & Cybersecurity team.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.