The Long Wait Is Finally Over – California Provides Guidance On The Use Of Automated Decision-Making Technologies

The California Privacy Protection Agency (Agency) has released its long-awaited draft rules on automated decision-making technologies. The draft rules outline how businesses using these systems must provide notice to consumers, provide an opt-out option to consumers, and give consumers access to details on the outputs of the automated decision-making technologies.

While the Agency has stated that it has not started its formal rulemaking process and that the draft text is intended to simply facilitate discussion and public comment, the draft rules provide needed insight into the Agency’s intent and the potential future obligations a business will have with respect to automated decision-making technologies.

The draft rules define “Automated Decision-Making Technology” as: any system, software, or process – including one derived from machine-learning, statistics, or other data-processing or artificial intelligence – that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making. Automated Decision-making Technology includes profiling, where “Profiling” is defined under the draft rule as “processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

A business (that is otherwise subject to the California Consumer Privacy Act (CCPA)) that utilizes Automated Decision-Making Technology will be required to do the following:

a.      The Pre-Use Notice must:

i.      Explain the purpose for which the business proposes to use the Automated Decision-Making Technology. Do note that, generic explanations, like “to improve our services”, are specifically called-out by the Agency as insufficient.

ii.      A description of the consumer’s right to opt-out of the business’s use of Automated Decision-Making Technologies and the process by which the consumer opts-out. Do note that the opt-out right is only with respect to certain processing activities, including:

1.      A decision that produces a legal or similarly significant effect concerning a consumer;

2.      Profiling a consumer who is acting in their capacity as an employee, independent contractor, job applicant or student. For example, profiling an employee using keystroke loggers, productivity or attention monitors, video or audio recording or live-streaming, facial- or speech- recognition or detection, automated emotion assessment, location trackers, speed trackers and web-browsing, mobile-application or social media monitoring tools;

3.      Profiling a consumer while they are in a Publicly Accessible Place. For example, profiling while a consumer is using wi-fi or Bluetooth tracking, radio frequency identification, drones, video or audio recording or live-streaming, facial- or speech- recognition or detection, automated emotion assessment, geofencing, location trackers, or license-plate recognition. “Publicly Accessible Place” is defined as a place that is open to or serves the public (shopping malls, restaurants, stores, movie theaters, hospitals, stadiums, clinics, transportation depots, streets, etc.);

4.      Profiling a consumer for behavioral advertising. Note, this activity is further limited to an opt-in when individuals are under the age of 16; or

5.      Processing personal information of consumers to train Automated Decision-Making Technology.

b.      The rules governing the methods for providing the notice and for submitting opt-out requests generally align with the CCPA’s rules governing general privacy notice and individual rights requests. The draft rules specifically provide that a notification or tool regarding cookies (like a cookies banner) is not by itself an acceptable method for submitting requests to opt-out of Automated Decision-Making Technologies because cookies concern the collection of personal information, not the use.

c.       A consumer may opt-out at any point while processing is occurring.

d.      A business may re-ask for consent to use Automated Decision-Making Technologies that have been opted-out of every 12 months.

e.      A business does not have to provide an Opt-Out of the use of the Automated Decision-Making Technologies if the business’s use is related to the following purposes:

i.      To prevent, detect and investigate security incidents;

ii.      To resist malicious, deceptive, fraudulent or illegal actions directed at the business and to prosecute those responsible for such actions;

iii.      To protect the life and physical safety of consumers; or

iv.      To provide the good or service specifically requested by the consumer; provided there is no reasonable alternative method of processing (there is a rebuttable presumption that there is an alternative method if a different method is or has been used within the business’s industry or similar industries to provide a similar good or perform a similar service).

2.      Requests to Access Information – Consumers have a right to access information about the business’s uses of Automated Decision-Making Technologies. The rules governing the methods and request process for this additional access right are similar to those existing under the CCPA today. When a request for access is made, the business must provide an explanation of the following to the consumer:

i.      The purpose for which the business used Automated Decision-Making Technologies;

ii.      The output of the Automated Decision-Making Technology with respect to the consumer;

iii.      How the business used the output to make a decision (or an explanation of how it will be used);

iv.      How the Automated Decision-Making Technology worked with respect to the consumer (for example, the logic (assumptions/limitations applied, etc.) and key parameters affecting the output);

v.      The method to obtain the range of possible outputs;

vi.      Instructions on how to exercise other rights under the CCPA; and

vii.      The method by which to submit a complaint to the Agency or the California Attorney General.

3.      Notice of Denial of Goods or Service - If a business makes a decision using Automated Decision-Making Technologies that results in a denial of goods or services that have a legal or similarly significant effect concerning a consumer (including denial of an employment opportunity), the business must notify the consumer of the following:

i.      That the business made a decision with respect to the consumer;

ii.      That the consumer has a right to access information about the business’s use of that Automated Decision-Making Technology;

iii.      How the consumer can exercise their access rights; and

iv.      That the consumer can file a complaint with the Agency and the California Attorney General.

Note, if your organization is a service provider to businesses (as defined under the CCPA), service providers are expressly required to provide assistance in responding to consumer requests.

Do you have to comply with California’s Consumer Privacy Act? Do you need assistance in analyzing its application and confirming your organization’s obligations? Reach out to McGrath North’s privacy and cybersecurity team for guidance.