The California Privacy Protection Agency (CPPA) released a set of draft regulations in November 2023 to regulate the use of artificial intelligence (AI) and automated decision-making technology (ADMT). The ADMT regulations, now in rulemaking, aim to make automated decisions transparent, especially for critical areas like employment, education, loans, and health care. Currently, no federal law allows consumers to opt out of using their data in such decisions, but California leads in data protection. 

As proposed, the regulations give consumers the right to know when automated decisions use their data, understand how decisions were made, and opt out of their data use. Companies must also complete risk assessments and audits. However, there’s ongoing debate about the scope, with the board narrowing the definition of “automated decision.”  

Business opposition sees these rules as costly, with privacy board member Alastair Mactaggart, who originally led the California Privacy Rights Act, also dissenting. Mactaggart argues the rules are “overbroad,” regulating technology rather than tech use, noting, “Using spreadsheets are not automated decisions, but using regression analysis is.” He suggests deleting Articles 10 and 11, which mandate risk assessments and audits. 

Board member Vinhcent Le agreed on some points, advocating targeted opt-outs only for critical decisions. The draft law exempts simpler tech like calculators and spreadsheets from regulation and focuses on decisions in lending, housing, insurance, education, criminal justice, employment, and health care. 

The board debated delaying finalization by narrowing the draft, but Chair Jennifer Urban and others preferred to proceed to public comment rather than revising further. Public comment is now open for 45 days and is expected to run into January. The board is expected to finalize the regulations sometime during the first quarter of 2025.

Ashkan Soltani, the Executive Director of the CPPA and the first to hold this role since his appointment by the CPPA Board, has announced his departure, effective January 2025. The date for the CPPA Board’s next meeting has yet to be scheduled.

Key Elements of the Draft ADMT Regulations 

• Definition and Scope of ADMT: The draft regulations encompass any technology that uses automated processes or algorithms to make significant decisions about consumers, particularly decisions that can impact access to services, employment, finances, or healthcare. The scope is broad, covering a wide array of applications to ensure comprehensive oversight. 

• Transparency and Consumer Awareness: The regulations prioritize consumer awareness by requiring that companies disclose when they use automated decision-making technology in processes impacting individuals. Consumers should be clearly informed about how these technologies affect their rights, creating a layer of transparency intended to build trust and accountability. 

• Privacy Impact Assessments (PIAs): Companies utilizing ADMT must conduct regular Privacy Impact Assessments, with a specific focus on risks to consumer privacy, data accuracy, and fairness. These assessments are designed to identify and mitigate potential biases, inaccuracies, and other risks inherent to automated processes, thus enhancing consumer protections. 

• Security Audits: In addition to impact assessments, companies must perform ongoing security audits for their ADMT systems. These audits will ensure that data protection measures are current and that any vulnerabilities in automated processes are promptly addressed to safeguard consumer data. 

• Opt-Out Rights for Consumers: The regulations propose giving consumers the ability to opt out of certain ADMT-driven decisions, particularly those that might have a significant impact on them. This element emphasizes consumer control, allowing individuals to choose whether or not they want their information to be subject to automated decision-making processes when feasible. 

• Accountability Requirements for Businesses: The draft outlines strict documentation requirements for businesses, requiring them to record their use of ADMT and maintain records of impact assessments and audits. This accountability mechanism is meant to facilitate compliance reviews and enforcement by the California Privacy Protection Agency (CPPA). 

Implementation and Timeline 

• Public Comment Period: The CPPA has opened the draft for public comments, inviting feedback from various stakeholders to refine the regulations based on input from industry, advocacy groups, and the public. 

• Expected Effective Date: The finalized regulations are anticipated to be implemented by mid to late 2024, following the review of public commentary and any subsequent adjustments to the draft. 

These draft regulations demonstrate California’s intent to set a strong regulatory standard around AI and automated decision-making technologies, focusing heavily on consumer rights, corporate accountability, and robust safeguards against risks posed by ADMT. These regulations now move to the Office of Administrative Law and, if approved, will become effective January 1, 2025.