Skip to main content

Further Updates to the CPPA Proposed Regulations: Risk Assessments and Automated Decisionmaking Technology

After years of internal discussion, the Board of the California Privacy Protection Agency (CPPA), at their March 8th meeting, voted to progress toward formalizing the proposed regulations on risk assessments and automated decisionmaking technology (ADMT). Following a presentation from CPPA staff on the recent updates to the proposed regulations, as further described below, the Board engaged in a lively debate over two key issues: (i) the scope of the application of these proposed regulations (with Board members firmly expressing opposing positions) and (ii) the appropriate timing to advance the proposed regulations. After a lengthy meeting and significant public comment, the Board authorized CPPA staff in a narrow 3:2 vote to advance the proposed regulations on risk assessments and ADMT towards the formal rulemaking process by authorizing CPPA staff to begin preparation of the necessary paperwork for final approval and to solicit additional stakeholder feedback. 

RECENT UPDATES TO THE PROPOSED REGULATIONS

Definitions

In an effort to respond to Board feedback from the December 2023 CPPA Board meeting, CPPA staff added new definitions and modified others to clarify applicability and scope of particular proposed regulations and to streamline and increase the readability of certain definitions. The key definitions discussed at the CPPA Board meeting were the following: ADMT, profiling, significant decision, artificial intelligence, and behavioral advertising (§7001). 

The updated definition of ADMT clarifies the types of technology that are and are not included within the scope of ADMT, as well as how such technology is used, each of which impact the types of businesses that may be impacted by the proposed regulations. The updated definition of artificial intelligence similarly clarifies the types of machine-based systems of concern. The definitions for profiling and significant decision similarly clarified and narrowed the scope of such definitions. Finally, CPPA staff added a proposed definition for behavioral advertising to clarify and narrow the application of ADMT regulation on businesses (§7200(a)(2)) and to further provide guidance to businesses who may otherwise seek an exception from the risk assessment submission requirements (§7150(b)(3)(b)(iii)).

Risk Assessments

The key changes to the risk assessment requirements in the proposed regulations since the December 2023 meeting concern (i) when a business must conduct a risk assessment (§7150), (ii) who must be involved in contributing to the risk assessment (§7151), (iii) what needs to be included in the risk assessment (§7152) (with special requirements where businesses process personal information to train ADMT or artificial intelligence (§7153)), (iv) a prohibition of certain processing, regardless of the risk assessment (§7154), (v) when a risk assessment must be conducted and updated (§7155), (vi) conducting risk assessments related to certain processing activities or compliance with other laws (§7156), and (vii) how businesses submit their risk assessments, including timing requirements and requirements for submission materials (§7157). While CPPA staff updated many aspects of the risk assessment requirements, the main focus during the Board meeting was on the changes to the risk assessment thresholds(§7150), updates to the risk assessment requirements (§7152), and revisions to the submission requirements (§7157)

The revisions to §7150(b) require businesses to conduct risk assessments whenever such business conducts the following processing activities, each of which present a significant risk to the privacy of consumers: (i) selling or sharing personal information, (ii) processing sensitive information (a defined term that now includes the personal information of minors under the age of 16), (iii) using ADMT for making a significant decision concerning a consumer or for extensive profiling, such as employment or educational profiling, public profiling or profiling for behavioral advertising, and (iv) using personal information to train ADMT or artificial intelligence that can be used for certain purposes. 

The proposed regulations have also been updated to specify and clarify details of the risk assessments, including the operational elements impacted businesses must identify in their risk assessments as well as requiring impacted businesses to consider particular negative impacts to consumers’ privacy. CPPA staff made these edits to intentionally clarify the relationship between consumers and impacted businesses, clarify the disclosures that impacted businesses must make to consumers, and to increase readability of the proposed regulations. The recent updates also clarify when impacted businesses are and are not required to submit a risk assessment. CPPA Board members requested that CPPA staff further update §7157 to further clarify what materials and information impacted businesses are required to submit as part of the abridged form of the risk assessment to give impacted businesses further guidance.

ADMT

The proposed regulations impose three key requirements on impacted businesses using ADMT: (i) impacted businesses are required to provide consumers with a pre-use notice before using ADMT (§7220), (ii) impacted businesses must present consumers with a right to opt-out of the businesses use of ADMT (§7221), and (iii) consumers must be given a right to access information regarding the impacted business’s use of ADMT (§7222). 

While these overall elements have not changed since the December 2023 meeting, CPPA staff have made certain business-friendly updates, such as narrowing the application of these requirements in certain areas, including tailoring pre-use notice requirements to specific uses of ADMT (§7220) and adding exceptions to opt-out requirements (§7221(b)), providing additional flexibility to businesses in how they present certain information (§7220), and clarifying certain requirements with examples. However, the updated proposed regulations also impose new requirements on businesses, such as requiring businesses to disclose that the business will not retaliate against a consumer for opting out of ADMT or requesting access to information about the business’s use of ADMT. 

What is Next?

Many of the updates to the proposed regulations attempted to placate the entire CPPA Board by balancing consumer rights against the impact on businesses and future innovation. However, certain Board members made it clear that the CPPA staff’s view of the middle ground was skewed in favor of consumers and would require far too many businesses to comply with the proposed regulations. A Board member also expressed concern that if the CPPA oversteps and imposes regulations that are too broad, the regulations themselves, once formalized, could be challenged and struck down. 

The next stage toward the formal rulemaking process will open up the discussion around these proposed regulations to include stakeholders who will almost certainly have strong opinions over the scope of the application of these proposed rules. While California businesses may want to familiarize themselves with the general requirements of these proposed regulations, the proposed regulations will likely be revised further in consideration of stakeholder comments. Following receipt of such stakeholder input, the Board will re-review the draft regulations prior to commencing the formal rulemaking process, which may being as soon as July 2024. Stay tuned!

Subscribe To Viewpoints

Authors

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.
M. Bertie Magit is an Associate at Mintz who focuses on corporate matters such as mergers and acquisitions, capital markets transactions, and corporate governance. Her clients include businesses of all sizes, including emerging companies.