This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Technology Law

| 11 minute read

California Releases Updated Draft CPRA Regs Governing Artificial Intelligence and Automated Decisionmaking Technology, Changes Are Extensive

On February 23, the California Privacy Protection Agency (CPPA) released updated draft regulations governing the use of artificial intelligence and automated decisionmaking technology (ADMT). The CPPA is scheduled to discuss the Regs at its next meeting on March 8. Below are some quick takeaways from my initial reading of this latest draft. As always, this list is not comprehensive, and you should speak with legal counsel regarding potential implications. If you have any questions or thoughts, please send me a message. 

Extensive Changes

This latest draft makes significant substantive changes to last year’s draft (for details on the prior draft, see my article here). Although the CPPA has not released (as of this posting) a redline comparing the latest draft to the prior draft, it did release a helpful overview of changes here. Some of the notable changes include:

Reorganization and Clarification

Most of the changes to the Regs fall into the category of reorganization and clarification. The Regs are now 35 pages long, combining ADMT and risk assessment obligations into a single document (risk assessment obligations are set out in §7150 et seq and ADMT obligations are set out in §7200 et seq). There are many new defined terms, including “behavioral advertising,” “deepfake,” “extensive profiling,” “physical identification or profiling,” “systematic observation,” “train automated decisionmaking technology or artificial intelligence,” and more. The result is that the Regs are highly technical and will require detailed analysis to truly understand potential implications. 

Alignment between Risk Assessment and ADMT Obligations

One positive outcome of the reorganization efforts is that the ADMT and risk assessment obligations are more closely aligned. For example, a business must comply with both ADMT and risk assessment obligations where it uses an ADMT for automated decisionmaking concerning a consumer or for extensive profiling. However, at the same time, the Regs include some glaring inconsistencies, which implies the subcommittees did not align on everything. For example a business must conduct a risk assessment, but is not required to comply with ADMT obligations, where it uses personal information to train an ADMT for the “operation of generative models, such as large language models.” Also, the term “artificial intelligence” does not appear in the sections covering ADMT obligations. Hopefully, the CPPA addresses these inconsistencies before finalizing the Regs.

Behavioral Advertising

The latest draft makes clear that the CPPA is looking to regulate all advertising, not just sales and shares. Any business that profiles for behavioral advertising purposes will be required to comply with the risk assessment and ADMT obligations, including honoring opt-outs. The term "behavioral advertising" is defined to include any targeted advertising based on a consumer's personal information obtained from their activity, including within a business's own services; only non-personalized advertising (e.g., contextual advertising) seems to be exempt. The concern is that this broad definition and opt-out right could destroy business monetization models and lead to more subscription-based services. Also, it’s unclear how this definition will impact measurement and attribution. I expect industry push back on this proposal.

Physical or Biological Identification or Profiling

The Regs add obligations for businesses that use “physical or biological identification or profiling,” including a requirement to ensure that such processing does not discriminate against protected classes. The concern about biometric information and discrimination mirrors some of the language we saw in the FTC’s recent settlement with Rite Aid (which we wrote about here). This appears to be yet another example of how regulators are influenced by decisions of other regulators. 

Workplace and Security Exceptions

The Regs include new exceptions, many of which focus on workplace and security issues. These new exceptions were likely drafted as a response to concerns voiced by CPPA members during their last meeting. Note that the exceptions are highly technical and only apply in limited instances. 

Human Appeal Exception

The latest draft includes a new human appeal exception, which allows businesses to offer a right to appeal a decision to a qualified human rather than offer an opt-out right. I expect many businesses will want to rely on this exception, but they will need to carefully review scope as it only applies in limited instances. 

ADMT Obligations

As a result of the extensive changes, we have decided to update our overview of the ADMT obligations. The remainder of this article covers those obligations. We will cover risk assessment obligations in a subsequent article. 

Three Main Requirements

Per §7200, any business that uses a covered ADMT must comply with the following three requirements: 

(1) Pre-Use Notice. The business must provide consumers with certain disclosures regarding use of the ADMT.

(2) Opt-Out. The business must provide consumers with the ability to opt-out of their personal information being processed using the ADMT. 

(3) Access. The business must provide consumers with the ability to request specific details about the business’s use of the ADMT to process their personal information.

Threshold

The ADMT obligations only apply where the following elements are met:

(1) ADMT. As an initial matter, there must be an ADMT involved. The latest Regs provide a new definition for ADMT, which means “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” Despite the new definition, ADMT is still so broadly defined that it arguably could cover any processing operation. I am curious to see whether the CPPA discusses this concern at their next meeting. 

(2) Use. The ADMT must be used in any of the following ways:

  • For “significant decisions” concerning a consumer, which means a decision that results in access to, or the provision or denial of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential good or services);
  • For “extensive profiling” of a consumer, which means (i) “work or educational profiling” of a consumer; (ii) “public profiling” of a consumer; or (iii) profiling a consumer for “behavioral advertising;” or 
  • For training uses of ADMT, which includes processing consumers’ personal information to train ADMT that is capable of being used (i) for any significant decision concerning a consumer; (ii) to establish individual identity; (iii) for “physical or biological identification or profiling;” or (iv) for the generation of a “deepfake.” 

This section was completely revised in the latest draft, and businesses should carefully review each of the defined terms. I expect most businesses engage in processing operations that could fall within at least one of these use cases. For example, any business that uses advertising other than contextual advertising could arguably trigger the profiling a consumer for behavioral advertising purposes. 

(3) No Complete Exception. The ADMT must not be covered by a complete exception. For example, California law provides certain complete exceptions for “significant decisions.” Note that most exceptions found in the Regs are limited (e.g., an exception does not require a company to provide an opt-out but still requires a pre-use notice).

Below are further details about the pre-use notice, opt-out, and access requirements.

Pre-Use Notice Requirement

The pre-use notice requirement is similar to the “notice at collection” requirement under the original CPRA Regs. Under the pre-notice requirement, any business that uses a covered ADMT must provide consumers with a notice that includes:

  • An explanation of the purpose for which the business uses the ADMT (which must not be in generic terms);
  • A description of the consumer’s right to opt-out of the use of the ADMT and how to exercise their right (or if not required due to an exception, details about the exception); 
  • A description of the consumer’s right to access information about the business’s use of the ADMT with respect to them and how to exercise their right; 
  • A statement that the business is prohibited from retaliating against the consumer for exercising their right; and
  • Additional information about how the ADMT works, including an explanation of the logic used and the intended output.

A business may combine multiple ADMT uses into a single notice. 

The latest draft includes a new obligation that the notice needs to be presented prominently and conspicuously to the consumer before the business uses the ADMT. I’m not clear how the CPPA expects businesses to comply with this requirement. 

The latest draft also includes notice exceptions where ADMTs are used for security, fraud prevention, safety, or solely for training. These exceptions are incredibly narrow, and need to be carefully reviewed. 

Opt-Out Requirement

The ADMT opt-out requirement shares much in common with the Do Not Sell/Share opt-out requirement under the original CPRA Regs. Under the ADMT opt-out requirement, any business that uses a covered ADMT must provide consumers with the ability to opt-out of the ADMT. 

Where a consumer opt-outs, the business must cease processing the consumer’s personal information using that ADMT within 15 business days, and notify all downstream recipients of the personal information to comply with the opt-out with respect to the ADMT. 

Some notable aspects relating to the ADMT opt-out method: 

  • A business must offer an interactive form as well as at least one other method for the opt out;
  • A business may not require creation of an account or verification (this differs from the prior draft);
  • A business must provide a means by which consumers can confirm the business processed their requests;
  • A business must respond to authorized agent requests if the authorized agent provides written permission signed by the consumer;
  • A business must offer an ADMT opt-out specific to ADMT requests (however, relying on cookie banners or cookie controls is not sufficient to address this right); and
  • There is no express obligation to respond to preference signals for ADMT use, such as GPC signals.

The latest draft includes new exceptions to the opt-out right. These exceptions appear to be in response to concerns brought up during the CPPA’s meeting in December that employers / businesses will need to offer opt-out rights to employees / consumers which could compromise internal employment practices / security. Pursuant to these new exceptions, under certain circumstances, businesses are not required to provide opt-out rights for work or educational profiling or public profiling. These exceptions are incredibly narrow, and need to be carefully reviewed.

There is also a new “human appeal exception.” Where a business uses an ADMT to make a significant decision concerning a consumer, rather than offer an opt-out right, the business can offer a right to appeal to a qualified human reviewer. There are specific requirements for businesses that rely on this exception. 

The latest draft also makes clear that using ADMTs for profiling for behavioral advertising or training uses do not qualify for any opt-out exceptions. As noted at the beginning of this article, the broad definition of behavioral advertising could have a significant impact on the advertising industry. 

Access Right Requirement

The access right requirement is similar to the “right to know” requirement under the original CPRA Regs. Under the access right requirement, any business that uses a covered ADMT must provide consumers with the ability to request information about the business’s use of ADMT with respect to their personal information. Consumers must verify their identities, and businesses must address verifiable consumer requests within 45 days.

Where a consumer exercises their right, the business shall provide the following:

  • The specific purpose for which the business used the ADMT with respect to the consumer;
  • The output of the ADMT with respect to the consumer;
  • How the business used the output with respect to the consumer;
  • How the ADMT worked with respect to the consumer; and
  • That the business is prohibited from relating against the consumer for exercising their right.

The specific obligations around this access right requirement are incredibly robust and may be difficult for businesses to address. To address some of these concerns, the CPPA added exceptions to this latest draft. Businesses relying on the limited security, fraud prevention, and safety exceptions are not required to provide information that would compromise the ADMT for these security, fraud prevention, or security purposes. Also, businesses that use an ADMT solely for training purposes may be able to rely on an exception.

Despite the above, there is an argument that this level of required detail goes far beyond the CPRA statutory text and privacy law. I anticipate legal challenges to some of these requirements. 

Additional Requirements

Physical or Biological Identification or Profiling

The latest draft includes a new section §7201. Under this section, a business that uses physical or biological identification or profiling for a significant decision concerning a consumer or for extensive profiling must also:

  • Conduct an evaluation of the physical or biological identification or profiling to ensure it works as intended for the business’s proposed uses and does not discriminate based on protected classes; and 
  • Implement policies, procedures, and training to ensure that the physical or biological identification or profiling works as intended for the business’ proposed use and does not discriminate based on protected classes. 

This section is strange for a number of reasons: 

First, it essentially lays out assessment requirements in the ADMT requirement section. Perhaps the subcommittee working on the ADMT requirements wanted to ensure they were included in the Regs.

Second, the CPRA already includes a definition of biometric information, and the CPPA has now proposed a definition for “physical or biological identification or profiling” that goes beyond that definition. 

Third, it creates a new obligation to ensure the use does not discriminate against protected classes. To my knowledge, this is the first time “protected classes” appears in the text. From a harmonization perspective, it would make sense to replace “protected classes” with discrimination based on race, gender, and other sensitive categories of personal information. As noted above, I suspect the CPPA drafted this section after reading the FTC's settlement against Rite Aid from December. 

Adverse Significant Decisions

Where a business uses an ADMT to make an adverse significant decision, the business must provide additional notice to the consumer of their access right within 15 days of the decision. An “adverse significant decision” means a decision that (i) results in a consumer acting in their capacity as a student, employee, or independent contractor being denied educational credit, having their compensation decreased, or being suspended, demoted, terminated or expelled; or (ii) results in a consumer being denied financial or lending services, housing, insurance, criminal justice, healthcare services, or essential goods or services. This obligation appears to be similar to the adverse action letters requirement under FCRA.

Service Providers

Under the ADMT obligations portion of the Regs, a service provider must provide assistance to the business in responding to verifiable consumer access requests. Other parts of the CPRA Regs impose specific obligations on service providers, but it is interesting we did not see more here. 

Children Under 16

This latest draft removes express reference to children under 16. Personal information relating to consumers that a business has actual knowledge are children under 16 is now a category of sensitive personal information found within the draft update to the existing CPRA Regs.  

Summary of Changes

Below is a helpful image released by the CPPA comparing the requirements for ADMT use cases. 

Tags

cpra, privacy, cppa, ccpa, california, ai, automated decisionmaking, behavioral advertising, deepfake, profiling, technology law, ftc, biometric