Privacy & Information Security Law Blog

On March 8, 2024, the California Privacy Protection Agency (“CPPA”) Board discussed and voted 3-2 in favor of further edits to revised draft regulations regarding risk assessments and automated decisionmaking technology (“ADMT”), which were released in February 2024, but did not initiate the formal rulemaking process for these regulations, which is anticipated to begin in July 2024.

The revised draft regulations contain the following key changes and provisions:

Risk Assessments

• Risk Assessment Thresholds
  • Update the list of processing activities that require a risk assessment, which include: (1) selling or sharing personal information; (2) processing sensitive personal information (including the personal information of consumers that the business has actual knowledge are less than 16 years old); (3) using ADMT for a significant decision or “extensive profiling” (i.e., work or educational profiling, public profiling, or profiling a consumer for behavioral advertising); and (4) when training ADMT or artificial intelligence that is capable of being used for: (a) a significant decision concerning a consumer, (b) establishing individual identity, (c) physical or biological identification or profiling, (d) generation of a deepfake, or (e) operation of generative models.

• Elements of Risk Assessments
  • Clarify the operational elements of the processing that the business must identify in a risk assessment, which include, e.g., the business’s planned method for collecting, using, disclosing, retaining or otherwise processing personal information, and the sources of the personal information.
  • Clarify which negative impacts to consumers’ privacy a business may consider, including impairing consumers’ control over their personal information, such as by providing insufficient information for them to make an informed decision regarding the processing of their personal information.
  • Clarify the safeguards that a business must identify for ADMT to ensure it works as intended and does not discriminate.

• Submission Requirements
  • Still require the proactive submission of risk assessment materials, including a certification of compliance, risk assessments in abridged form and optionally risk assessments in unabridged form, to the CPPA on an annual basis.
  • Clarify exemptions, including that, if there have been no material changes in the processing during a subsequent submission period, a business is not required to submit an updated abridged risk assessment (but still must submit a certification of compliance).
  • Streamline what must be included in an abridged risk assessment.

ADMT

• Definition of Automated Decisionmaking Technology
  • Clarify that a technology is an ADMT if it processes personal information and uses computation to execute a decision, replace human decisionmaking or substantially facilitate human decisionmaking.
  • Clarify that, while ADMT includes profiling, it excludes specific technologies, such as web hosting, caching, data storage, firewalls and spam-filtering, provided that the technologies do not execute a decision, replace human decisionmaking or substantially facilitate human decisionmaking.

• Definition of Profiling
  • Expand the scope of profiling to include automated processing to analyze or predict an individual's intelligence, ability, aptitude, mental health and predispositions.

• Covered ADMT Uses
  • Update the list of ADMT uses for which consumers can exercise their right to opt-out, which includes using ADMT (1) for a significant decision concerning a consumer; (2) for extensive profiling of a consumer; and (3) for training ADMT that is capable of being used for: (a) a significant decision concerning a consumer, (b) establishing individual identity, (c) physical or biological identification or profiling, or (d) generation of a deepfake.
  • Recognize certain exceptions for ADMT uses that are not subject to consumers’ opt-out requests, including where the ADMT is used for maintaining security, fraud prevention and safety, and in certain circumstances where a method to appeal the decision to a human reviewer is provided. These exceptions do not apply to profiling for behavioral advertising or for the training use of ADMT.

• Notice Requirements
  • Require the business to provide information to consumers about how the business proposes to use the ADMT, to enable them to decide whether to opt-out or proceed, and whether to exercise their access right.
  • Tailor requirements to specific uses of ADMT, streamline the information that a business must provide and require that a business must provide additional notice (post-use) for certain significant decisions adverse to the consumer.

• Access Rights
  • Require the business to provide plain language explanations of certain information, such as the specific purpose for using the ADMT, how the ADMT worked with respect to the consumer, and that the business is prohibited from retaliating against consumers for exercising their CCPA rights.
  • Recognize an exception from access requests for using ADMT solely for training purposes.

For more information about California’s draft regulations regarding risk assessments and ADMT, please see the Centre for Information Policy Leadership at Hunton Andrews Kurth’s response to the CPPA’s Invitation for Preliminary Comments on Proposed Rulemaking for cybersecurity audits, risk assessments and automated decisionmaking.