California AI Proposal Rethinks Consumer Scope and Recordkeeping
The California Privacy Protection Agency will revisit its draft regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024, and businesses should get ready to provide input.
The agency aims to regulate notice, opt-out, and access rights for California consumers and employees with respect to businesses’ use of ADMT. This week, the new regulations may move closer to implementation, so businesses should track further revisions before the rulemaking process begins and business input becomes critical.
The proposed regulations state that ADMT covers any system—including one derived from machine learning or AI—that processes personal information and uses computation to make decisions. This includes profiling, which is any form of automated processing of a person’s aspects, such as job performance, health, behavior, or location.
Despite ADMT’s broad scope, the draft regulations apply only to certain business uses and contain several exceptions to the proposed opt-out and access rights.
Businesses should keep in mind that the proposed regulations don’t regulate all business uses and would only apply for a decision that produces legal or similarly significant effects concerning a consumer; for profiling a consumer who acts in their capacity as an employee, independent contractor, job applicant, or student; or for profiling a consumer while they’re in a publicly accessible place.
Businesses can prepare for formal rulemaking by following five action items.
First, because the proposal doesn’t include an exception to the pre-use notice right, businesses should assess whether they use or intend to use ADMT in one of the three ways being contemplated. These ways include a decision that produces significant effects on the consumer; profiling a consumer who is an employee, job applicant, or student; or profiling a consumer who is in a publicly accessible place.
Second, for each current or intended use of ADMT meeting the thresholds, businesses should draft a pre-use notice that compiles with proposed Section 7017, which requires the business’s intended use purpose, a description of the consumer’s opt-out right, and a simple way for consumers to obtain additional information about the business’s use of ADMT.
Third, businesses should assess if any of the four contemplated exceptions (security, fraud prevention, safety, and requested good or service) apply to their uses of ADMT. Businesses should document how an exception applies, as they must provide an explanation to the CPPA upon the agency’s request.
Regarding the “requested good or service” exception, businesses should document that no alternative processing method is used in similar industries, along with one of three factors:
- It would be futile for the business to use alternative processing methods.
- Using an alternative processing method would result in a good or service that isn’t as valid, reliable, and fair.
- Using an alternative processing method would impose an extreme hardship on the business in light of its financial resources and its technical capabilities.
Fourth, businesses should assess how they will allow consumers to submit opt-out requests. A business that interacts with consumers online must allow requests to opt out through an interactive form accessible via an opt-out link in the pre-use notice.
Other methods include a toll-free phone number, a designated email address, or mail submission. Under the proposed regulations, a notification regarding cookies isn’t by itself an acceptable method.
Fifth, businesses should ensure that their methods for consumers to submit access requests comply with Section 7020 of the CCPA.
A business operating exclusively online, with a direct relationship with a consumer from whom it collects personal information, shall only be required to provide an email address for submitting requests. However, all other businesses must provide two or more methods designated by Section 7020(b), such as a toll-free telephone number and web form.
Businesses should assess their current use of ADMT and whether that use would produce significant effects on consumers. They also must assess whether any exceptions might apply and which methods to adopt for opt-out and access request submissions.
Copyright 2024 Bloomberg Industry Group, Inc. (800-372-1033) www.bloombergindustry.com. Reproduced with permission.