On March 27, 2023, the California Privacy Protection Agency (CPPA) will close its second phase of rulemaking on automated decision-making (ADM) systems under the California Privacy Rights Act (CPRA)— but not before giving stakeholders a valuable opportunity to help shape this important rulemaking around how businesses may use ADM systems and the scope of related consumer rights.
The CPPA has invited pre-rulemaking comments in response to a series of questions designed to inform its crafting of regulations on ADM. Aiming to balance the promotion of business opportunities against consumer protection, the CPPA is looking to better understand existing laws, assessments, and best practices, as well as which ADM technologies businesses and organizations already use, what they are doing to navigate existing laws, requirements and expectations.
The Agency has additionally solicited input on the existing and potential consumer experience and impact created by the laws, requirements and practices to which CPRA-covered businesses are already subject.
Major Questions and Considerations
Below, we discuss a few of the most crucial topics posed for comment by the CPPA as they relate to ADM.
What is ADM? The Agency’s invitation for comment specifically asks how ADM is defined under other laws, frameworks, and best practices. While this question holds out the prospect of regulatory alignment, it also raises the specter of California seeking to create a higher bar. Should the CPPA choose to adopt a broader definition than those used in other jurisdictions, it will likely require businesses to reevaluate their compliance efforts and expend more resources on compliance.
Which access and or/ opt-out rights should be provided to consumers? And should they vary? Depending on the industry, the technology in use, the type of consumer, the sensitivity of the data, and myriad other factors, access and opt-out rights with respect to use of ADM could have a significant impact on outcomes and consumer experience. For example, employers that utilize ADM tools as a part of their services or practices will need to account for how their employees are impacted by the technology, in addition to any considerations related to consumers. Similarly, companies utilizing ADM in the healthcare industry will have very different concerns from stakeholders in the telecommunications sector. The CPPA is undoubtedly aware of the public’s skepticism around the use of ADM, and potential concerns related to logic, profiling, algorithmic bias and data privacy. The Agency faces a daunting task of balancing these issues with the need for business innovation and flexibility.
How much “access” should access requests provide? Once the CPPA determines whether, and under what circumstances, consumers should be able to make access requests of businesses, it will then need to establish what kinds of information should be included in responses to those requests. This round of comments seeks to guide the Agency in weighing the interests of consumers in understanding the logic involved in ADM processes, and the interests of businesses in protecting their internal processes and trade secrets. Too much transparency could prove to hamper innovation and limit the pace of progress in employment of rapidly developing ADM technology. Conversely, too little transparency may stoke mistrust or curb engagement amongst consumers. The CPPA is soliciting insights around how other regulators and business insiders have approached this question, in hopes of tailoring rules to provide the appropriate protections for businesses and consumers, alike.
California is providing an invaluable opportunity to help shape its forthcoming regulation of ADM with rulemaking that will likely have complex and far reaching implications for businesses and consumers alike.