On March 8, 2024, the California Privacy Protection Agency (“CPPA”) Board discussed and voted 3-2 in favor of further edits to revised draft regulations regarding risk assessments and automated decisionmaking technology (“ADMT”), which were released in February 2024, but did not initiate the formal rulemaking process for these regulations, which is anticipated to begin in July 2024.
The revised draft regulations contain the following key changes and provisions:
Risk Assessments
- Risk Assessment Thresholds
- Update the list of processing activities that require a risk assessment, which include: (1) selling or sharing personal information; (2) processing sensitive personal information (including the personal information of consumers that the business has actual knowledge are less than 16 years old); (3) using ADMT for a significant decision or “extensive profiling” (i.e., work or educational profiling, public profiling, or profiling a consumer for behavioral advertising); and (4) when training ADMT or artificial intelligence that is capable of being used for: (a) a significant decision concerning a consumer, (b) establishing individual identity, (c) physical or biological identification or profiling, (d) generation of a deepfake, or (e) operation of generative models.
- Elements of Risk Assessments
- Clarify the operational elements of the processing that the business must identify in a risk assessment, which include, e.g., the business’s planned method for collecting, using, disclosing, retaining or otherwise processing personal information, and the sources of the personal information.
- Clarify which negative impacts to consumers’ privacy a business may consider, including impairing consumers’ control over their personal information, such as by providing insufficient information for them to make an informed decision regarding the processing of their personal information.
- Clarify the safeguards that a business must identify for ADMT to ensure it works as intended and does not discriminate.
- Submission Requirements
- Still require the proactive submission of risk assessment materials, including a certification of compliance, risk assessments in abridged form and optionally risk assessments in unabridged form, to the CPPA on an annual basis.
- Clarify exemptions, including that, if there have been no material changes in the processing during a subsequent submission period, a business is not required to submit an updated abridged risk assessment (but still must submit a certification of compliance).
- Streamline what must be included in an abridged risk assessment.
ADMT
- Definition of Automated Decisionmaking Technology
- Clarify that a technology is an ADMT if it processes personal information and uses computation to execute a decision, replace human decisionmaking or substantially facilitate human decisionmaking.
- Clarify that, while ADMT includes profiling, it excludes specific technologies, such as web hosting, caching, data storage, firewalls and spam-filtering, provided that the technologies do not execute a decision, replace human decisionmaking or substantially facilitate human decisionmaking.
- Definition of Profiling
- Expand the scope of profiling to include automated processing to analyze or predict an individual's intelligence, ability, aptitude, mental health and predispositions.
- Covered ADMT Uses
- Update the list of ADMT uses for which consumers can exercise their right to opt-out, which includes using ADMT (1) for a significant decision concerning a consumer; (2) for extensive profiling of a consumer; and (3) for training ADMT that is capable of being used for: (a) a significant decision concerning a consumer, (b) establishing individual identity, (c) physical or biological identification or profiling, or (d) generation of a deepfake.
- Recognize certain exceptions for ADMT uses that are not subject to consumers’ opt-out requests, including where the ADMT is used for maintaining security, fraud prevention and safety, and in certain circumstances where a method to appeal the decision to a human reviewer is provided. These exceptions do not apply to profiling for behavioral advertising or for the training use of ADMT.
- Notice Requirements
- Require the business to provide information to consumers about how the business proposes to use the ADMT, to enable them to decide whether to opt-out or proceed, and whether to exercise their access right.
- Tailor requirements to specific uses of ADMT, streamline the information that a business must provide and require that a business must provide additional notice (post-use) for certain significant decisions adverse to the consumer.
- Access Rights
- Require the business to provide plain language explanations of certain information, such as the specific purpose for using the ADMT, how the ADMT worked with respect to the consumer, and that the business is prohibited from retaliating against consumers for exercising their CCPA rights.
- Recognize an exception from access requests for using ADMT solely for training purposes.
For more information about California’s draft regulations regarding risk assessments and ADMT, please see the Centre for Information Policy Leadership at Hunton Andrews Kurth’s response to the CPPA’s Invitation for Preliminary Comments on Proposed Rulemaking for cybersecurity audits, risk assessments and automated decisionmaking.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code