Insights
Publications

California AI Proposal Rethinks Consumer Scope and Recordkeeping

March 6, 2024 Articles
Bloomberg Law

The California Privacy Protection Agency will revisit its draft regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024, and businesses should get ready to provide input.

The agency aims to regulate notice, opt-out, and access rights for California consumers and employees with respect to businesses’ use of ADMT. This week, the new regulations may move closer to implementation, so businesses should track further revisions before the rulemaking process begins and business input becomes critical.

The proposed regulations state that ADMT covers any system—including one derived from machine learning or AI—that processes personal information and uses computation to make decisions. This includes profiling, which is any form of automated processing of a person’s aspects, such as job performance, health, behavior, or location.

Despite ADMT’s broad scope, the draft regulations apply only to certain business uses and contain several exceptions to the proposed opt-out and access rights.

Businesses should keep in mind that the proposed regulations don’t regulate all business uses and would only apply for a decision that produces legal or similarly significant effects concerning a consumer; for profiling a consumer who acts in their capacity as an employee, independent contractor, job applicant, or student; or for profiling a consumer while they’re in a publicly accessible place.

Businesses can prepare for formal rulemaking by following five action items.

First, because the proposal doesn’t include an exception to the pre-use notice right, businesses should assess whether they use or intend to use ADMT in one of the three ways being contemplated. These ways include a decision that produces significant effects on the consumer; profiling a consumer who is an employee, job applicant, or student; or profiling a consumer who is in a publicly accessible place.

Second, for each current or intended use of ADMT meeting the thresholds, businesses should draft a pre-use notice that compiles with proposed Section 7017, which requires the business’s intended use purpose, a description of the consumer’s opt-out right, and a simple way for consumers to obtain additional information about the business’s use of ADMT.

Third, businesses should assess if any of the four contemplated exceptions (security, fraud prevention, safety, and requested good or service) apply to their uses of ADMT. Businesses should document how an exception applies, as they must provide an explanation to the CPPA upon the agency’s request.

Regarding the “requested good or service” exception, businesses should document that no alternative processing method is used in similar industries, along with one of three factors:

  • It would be futile for the business to use alternative processing methods.
  • Using an alternative processing method would result in a good or service that isn’t as valid, reliable, and fair.
  • Using an alternative processing method would impose an extreme hardship on the business in light of its financial resources and its technical capabilities.

Fourth, businesses should assess how they will allow consumers to submit opt-out requests. A business that interacts with consumers online must allow requests to opt out through an interactive form accessible via an opt-out link in the pre-use notice.

Other methods include a toll-free phone number, a designated email address, or mail submission. Under the proposed regulations, a notification regarding cookies isn’t by itself an acceptable method.

Fifth, businesses should ensure that their methods for consumers to submit access requests comply with Section 7020 of the CCPA.

A business operating exclusively online, with a direct relationship with a consumer from whom it collects personal information, shall only be required to provide an email address for submitting requests. However, all other businesses must provide two or more methods designated by Section 7020(b), such as a toll-free telephone number and web form.

Businesses should assess their current use of ADMT and whether that use would produce significant effects on consumers. They also must assess whether any exceptions might apply and which methods to adopt for opt-out and access request submissions.

Copyright 2024 Bloomberg Industry Group, Inc. (800-372-1033) www.bloombergindustry.com. Reproduced with permission.

Firm Highlights

Publication

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More
Publication

Top 5 Privacy Cases To Watch, From Chatbots to Geolocation

Litigation — and threats of litigation — related to privacy law violations have been on the rise recently. While some judges have pushed back on the theories set forth by plaintiffs, new privacy lawsuits...

Read More
Publication

Nonprofits’ Use of Artificial Intelligence Systems: Intellectual Property and Data Privacy Concerns

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

Court Reinstates CPPA Enforcement Authority and Confirms No Delay Necessary for Enforcement of Future CCPA Regulations

A recent appellate decision has made clear that the regulations promulgated under California’s groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)), are ripe...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
Publication

Enforcement of CPRA Regulations Delayed

Shortly before the California Privacy Right Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) were set to become enforceable on July 1, 2023, a Sacramento Superior Court judge issued a ruling on...

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More