On November 8, 2024, the board of California’s Privacy Protection Agency (“Agent” or “CPPA”) met to begin discussing and developing formal rulemaking on several regulatory subjects, including the California Consumer Privacy Act (“CCPA”) update (“CCPA Update”) and automated decision-making technology (ADMT).
Shortly afterwards, on November 22, 2024, the CPPA published several rules-making documents for public reviews and comments that were recently concluded on February 19, 2025. Given the reviews and comments received, the CPPA Committee will decide whether to adopt regulations or further change in future board meetings. This post summarizes the proposed ADMT regulations. This sums up the need for businesses to carefully review and prepare themselves to take action to ensure future compliance.
Article 11 of the proposed ADMT regulations outlines actions aimed at increasing transparency and consumer rights related to the application of ADMT. The proposed rules define ADMT as a technology that processes personal information, uses calculations to make decisions, replaces human decisions, or substantially promotes human decisions. The regulations further define ADMT as a technology that includes software or programs, and uses the output of the technology as a key factor in human decisions (including scoring and rankings) and includes profiling. ADMT does not include technologies that make decisions, replace human decisions, or effectively promote human decisions (this includes web hosting, domain registration, networking, cache, website loading, data storage, firewalls, antivirus, antimalware, spam, robocal filters, spell checks, batteries, similar technologies, etc. The proposed ADMT regulations involve companies notifying consumers about their use of ADMT and requesting them along with the basis for their implementation. In addition, companies must provide instructions on ADMT output in addition to the process in which consumers request opt-out from such ADMT use.
It is important to note that CCPA updates can be applied to organizations that meet the thresholds of California Civil Code 1798.140(d)(1)(a), (b), and (c). These civil codes apply to the following organizations: (a) Earn over $25,000,000 in total annual revenue. (b) buy or sell personal information of more than 100,000 consumers or households, alone or in combination, each year; (c) Deduce more than 50% of annual revenue from the sale or sharing of consumer personal information; The broad rules and regulations set forth in the proposed CCPA update are not exhaustive, but the following are notable changes and potential business obligations under the new ADMT regulations.
Scope of use
Companies using ADMT to make important consumer decisions must comply with the requirements of Article 11. “Major Decisions” include decisions that affect financial or lending services, housing, insurance, education, employment, healthcare, critical product services, or independent contracts. “Critical decisions” include extensive profiling (including, among other things, profiling work, education, or behavioral advertising), and ADMTs that are specifically used to train and profiling AI systems that may affect critical decisions.
Provides advance usage notifications
Companies using ADMT must provide consumers with advance usage notices that notify consumers of their use of ADMT, including their purposes, how ADMT works, and CCPA consumer rights. Notifications must be easy to read and available in language. Businesses provide customary documentation to consumers and are accessible to people with disabilities. Businesses must also clearly present notifications to consumers in a way that businesses primarily interact with consumers, and must do so before using ADMT to process consumer personal information. Exceptions to these requirements apply to security, fraud prevention, or safe ADMTs where businesses may omit certain details.
According to section 7220 of CCPA updates, the advance usage notice must include:
Explicit language description of business purposes using ADMT. Description of the consumer rights to opt-out of ADMT and instructions for submitting an opt-out request. A description of the consumer’s right to access ADMT, including information about how consumers request access to the business. Notice that the business may not retaliate against consumers exercising their rights under the CPPA. Additional information in simple languages (via hyperlinks or other simple methods) explaining how ADMT works.
Consumer opt-out rights
Consumers should be able to opt out of ADMT use for important decisions, extensive profiling, or training purposes. Exceptions to the right to opt-out include where the company uses ADMT for safety, security, or fraud prevention, admission, acceptance or employment decisions, as long as it is necessary, and its effectiveness is assessed to function as intended. Companies need to provide consumers with at least two opt-out methods. One of them should reflect the way businesses interact primarily with consumers (e.g. email, internet hyperlinks, etc.). Opt-out methods must be easy to follow and require minimal steps without creating an account or providing unnecessary information. Companies must process their opt-out requests within 15 business days and may not retaliate against consumers for opt-out. Companies must wait at least 12 months before asking consumers who have opted out of ADMT to agree to its use again.
Provides information about ADMT output
Consumers have the right to access information about the output of their business’ ADMT. Although the CPPA regulations do not define “output”, the term may contain the results produced by ADMT and the important factors that influence them.
If a consumer requests access to ADMT, the company must provide information about the output relating to the consumer and how it will be used for the output relating to the key parameters that affect it. When using output to make important decisions about consumers, businesses must disclose the role of output and human involvement. For profiling, companies need to explain the role of output in evaluation.
The output information includes forecasts, content, recommendations, and aggregate statistics. The information provided varies depending on the purpose of ADMT, intended outcomes, and consumer requests. Companies need to carefully consider these nuances to avoid excessive disclosure.
Exceptions to human charm
The CPPA proposes a “human appeal exception,” which allows consumers to appeal the decision to human reviewers who have the authority to override the ADMT decision. Instead of providing the ability to opt out when accessing, denying a business or making important decisions regarding lending services, housing, insurance, educational registration or opportunity, criminal justice or opportunity, criminal justice, employment, employment, employment, or independent contract opportunities or compensation, healthcare services, or essential goods or services, a business may choose to provide human attractive exceptions.
To take advantage of the exceptions to human appeals, businesses must specify human reviewers who can understand the key decisions that make consumers attractive and the impact of decisions on consumers. Human reviewers must consider the relevant information provided by consumers in their appeal, and may also consider other relevant sources. This business needs to design attractive methods that are easy for consumers to do and require minimal steps, and clearly explain to consumers. Communication and disclosure with attractive consumers must be easy to read, understand, written in the applicable language and reasonably accessible.
Risk assessment
Under the proposed rules of the CPPA, all businesses that process consumer personal information must conduct a risk assessment before beginning processing, particularly if the business uses ADMT to make important decisions about consumers or to make extensive profiling. Companies should conduct risk assessments to determine whether the risk to consumer privacy outweighs the benefits to consumers, businesses and other stakeholders.
When conducting a risk assessment, the company must identify and document: Operational factors of the ADMT processing, such as collection methods, length of collection, number of affected consumers, and parties with access to this information. The advantages this process offers to businesses, their consumers, other stakeholders, and the general public. Negative impact on consumer privacy. A protective measure that will be implemented to address the negative effects mentioned above. Information about the risk assessment itself and the people who conducted it. Also, whether the business will begin using ADMT despite the identified risks.
We will submit the results of risk assessments conducted from the effective date of these new regulations to the date of submission of these regulations over 24 months. After completing the initial submission, the business must submit a subsequent risk assessment every calendar year. Additionally, businesses must review and update risk assessments to ensure accuracy at least once every three years and communicate updates through the required annual submission. If there is a significant change in your business’s processing activities, a risk assessment should be conducted immediately. The business must maintain all information collected in the business’s risk assessment, as long as the processing continues, or five years after the assessment is completed, whichever is later.
What should I do now?
The ADMT regulations proposed by the CPPA under the CCPA emphasize the importance of transparency and consumer rights. By requiring companies to disclose how they use ADMT output and factors that affect output, regulations aim to ensure that consumers are informed and that safeguards exist to protect against discrimination. Companies incorporate ADMTs that include AI tools for employment decisions, and therefore must follow proposed regulatory directives to conduct appropriate risk assessments. Regardless of the format in which these regulations are enforced, preparing appropriate AI governance programs and risk assessment plans will protect the interests of your business and promote employee trust.
Please note that the information provided in the above summary is merely a part of the rules and regulations proposed by the CCPA update. With the comment period ending, the CPPA will deliberate and finalize the CCPA update within the year. Obviously, these proposed regulations require more actions by businesses to remain compliant. It is important to use this time to plan and prepare these regulations in advance while waiting for the last update of the CPPA.
