Skip to main content

Updates to CPPA Proposed Regulations – Part 2: Risk Assessments and Automated Decisionmaking Technology

The most recent meeting of the California Privacy Protection Agency was a lengthy one, with a jam-packed agenda. Part 1 of our look at what came out of that meeting is here. This post will analyze the discussion and draft regulations for risk assessments and automated decisionmaking technology. The board spent over three hours on this agenda item, focusing closely on defined terms and the timing of certain requirements. As these regulations will impose new burdens and restrictions on many businesses, the board is walking a tightrope, balancing between protecting the consumer and burdening businesses.

Automated Decisionmaking Technology

Defined Terms

These regulations will not impact every business using automated decisionmaking technology (ADMT) in California. Instead, how business uses ADMT will determine whether or not, and how, these draft regulations will apply. Accordingly, businesses should pay close attention to the following defined terms, included in § 7001, as the CPPA continue to narrow, broaden or otherwise tweak such definitions:

  • “Automated decisionmaking technology” means any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking. Automated decisionmaking technology includes profiling.
  • “Decision that produces legal or similarly significant effects concerning a consumer” means a decision that results in access to, or the provision or denial of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.
  • “Profiling” means any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  • “Publicly accessible place” means a place that is open to or serves the public. Examples of publicly accessible places include shopping malls, stores, restaurants, cafes, movie theaters, amusement parks, convention centers, stadiums, gymnasiums, hospitals, medical clinics or offices, transportation depots, transit, streets, or parks.

Regulation of ADMT

These draft regulations impose a three-prong framework to regulate ADMT: impacted businesses must (i) provide consumers with a notice of how such business intends to use ADMT (Pre-Use Notice); (ii) take certain action following receipt of an opt-out request from a consumer; and (iii) supply certain information to the consumer regarding the business’s use of ADMT following receipt of an access request from a consumer.

The draft regulations propose to require only those businesses using ADMT for the following purposes to comply with such a framework (§ 7030):

  • For a decision that produces legal or similarly significant effects concerning a consumer, as defined in § 7001;
  • Profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student;
  • Profiling a consumer while they are in a publicly accessible place;
  • Profiling a consumer for behavioral advertising;
  • Profiling a consumer that the business has actual knowledge is under the age of 16; or
  • Processing the personal information of consumers to train ADMT.

Businesses that use ADMT for the above-listed purposes may further be exempted from the requirements to grant a consumer the ability to opt-out or receive access information if the businesses’ relevant use of ADMT is compliant with § 7002 and the business can show that such use of ADMT is necessary to achieve, and is used solely for, at least one of the following purposes (§7030(m); §7031(j); §7031(k)):

  • To prevent, detect, and investigate certain security incidents;
  • To resist, and prosecute those responsible for, malicious, deceptive, fraudulent, or illegal actions; and
  • To protect the life and physical safety of consumer.

Additionally, businesses are not required to provide the consumer with the ability to opt-out of the business’s use of ADMT if such use is necessary to provide the consumer-requested good or services, which the business may claim by successfully explaining to the CPPA, following receipt of a request from the CPPA, the applicability of one of the following (§7030(m)(4)):

  • It would be futile for the business to develop or use alternative methods of processing;
  • Use of an alternative method of processing would result in a good or service that is not as valid, reliable, and fair; or
  • Developing an alternative method of processing would impose extreme hardship upon the business.

If a business would otherwise be required to provide consumers with a right to opt-out or receive access information, but is not providing such rights to consumers due to the applicability of an exception, such business may claim the applicable exception set forth in §7030(m) by informing the consumer in the applicable Pre-Use Notice that it is relying on an exception under §7030(m) and further identifying the specific exception upon which it is relying.

It is important to note that none of the above-listed exceptions apply if a business uses ADMT to profile for behavioral advertising (§7030(n)).

Risk Assessment

The CPPA plans to require certain businesses to complete and submit risk assessments to ensure businesses actually understand the full risks to the consumer, and benefits the business is receiving, related to the processing personal information and the use of ADMT. Accordingly, the requirement to conduct and submit a risk assessment will be imposed on businesses that sell, use or process personal information or use ADMT in a way that the CPPA considers to be high risk (§7150(b)), including for decisions that produces legal or similarly significant effects concerning a consumer or involve profiling consumers (i) acting in certain capacities, (ii) in publicly accessible places, or (iii) for behavioral purposes. Some of the uses listed in the draft regulations are very specific, however these draft regulations aim to be helpful now, with the flexibility to be amended in the future as needed to broaden or otherwise reshape the language to adapt to evolving technologies.

According to the draft regulations, risk assessments must be submitted to the CPPA initially following the enactment of the rules, at a regular cadence, following a material change to the business’s processing activities, and upon request of the CPPA (§7156; §7158(a); §7158(d). The actual time businesses may have to prepare these risk assessments may change before these rules are enacted, but the goal of the CPPA is to allow businesses sufficient time to fully comply with the comprehensive submission requirements of the regulations and to not become overly burdensome. In this spirit, the board discussed possibly allowing businesses that already comply with the risk assessment requirements of the General Data Protection Regulation (GDPR) to submit a modified version of their GDPR risk assessment to the CPPA, rather than start from scratch.

The recent updates to the regulations on risk assessment impact when and how frequently a business is required to conduct and submit a risk assessment, and what a business must include in its risk assessment. One of the most substantial updates to the draft regulations appears in §7158, which details the submission requirements of the risk assessments. Such submission requirements discuss the cadence at which businesses must submit risk assessments to the CPPA, what must be submitted as part of the risk assessment (a certificate of compliance as well as the risk assessment in an abridged and unabridged form), how such risk assessment shall be submitted, as well as a mechanism to require businesses to submit a risk assessment upon the CPPA’s request.

While certain details in these regulations are likely to change by the time the rules are enacted, businesses should not wait until such enactment date to understand and set up processes to document their uses of ADMT, including the risks to the consumer of such use and the business’s actual benefit from such use. The period for preliminary written comments from the public on these draft regulations closed on March 27, 2023. However, members of the public are welcome to attend open sessions of the CPPA board and are invited to comment, during such meeting, on the agenda items. The next meeting of the CPPA board is expected to occur in January or February 2024.

Next up in our series, an analysis of the CPPA’s discussion of regulations, proposals, and priorities. 

Subscribe To Viewpoints

Author

M. Bertie Magit is an Associate at Mintz who focuses on corporate matters such as mergers and acquisitions, capital markets transactions, and corporate governance. Her clients include businesses of all sizes, including emerging companies.