CPPA further refines draft CCPA regulations: Focus on ‘automated decision-making technology’ (ADMT)

The California Privacy Protection Agency (CPPA) has released another iteration of its proposed comprehensive regulations under the CCPA. 

The latest batch of draft regulations introduces and refines existing provisions relating to automated decision-making technology (ADMT), consent mechanisms, and the formal introduction of mandatory cybersecurity audits and risk assessments. 

Here’s a look at how the Agency’s approach has changed in one particularly important regulatory area: ADMT.

1. Overview of ADMT rules
2. The state of ADMT in the latest regulations
3. Preparing for California’s ADMT regulations

Overview of the ADMT rules

Many comprehensive state privacy laws include rules restricting profiling with “significant” or “legal” effects—using AI and other automated technology to make important decisions on credit, employment, access to services, and other important areas of people’s lives. 

The CCPA empowers the CPPA to effectively write this part of the law via regulations, and the agency originally took an unusually broad and strict approach to regulating how and when businesses may use ADMT. 

The state of ADMT in the latest regulations

Over the past 18 months, the CPPA’s ambitious early approach to regulating ADMT has been tempered by a gradual narrowing of the definitions, scope, and obligations. 

Definition of ‘ADMT’

The definition of automated decision-making technology (ADMT) has changed considerably since the first draft of the CPPA’s regulations. 

Here’s a comparison of the original, December 2023 definition (on the left) and the ADMT definition included in the current draft (on the right): 

Note that, under the earliest version of this definition, ADMT included technology that “facilitated” human decision-making. After several amendments that gradually narrowed the scope of this definition, ADMT now only includes technology that “replaces or substantially replaces” human decision-making. 

This change suggests that the CPPA wishes to allow businesses greater freedom to integrate ADMT into their decision-making processes. 

When determining whether a given technology “substantially replaces” human decisionmaking, businesses should assess the extent to which any “human-in-the-loop” has the appropriate knowledge, ability, and authority to override the technology’s decisionmaking capabilities. 

The current draft regulations have also deleted a definition of “artificial intelligence”—the rules no longer refer explicitly to AI. However, many ADMT systems could reasonably be described as involving AI. 

Scope of ‘significant decision’

The restrictions on using ADMT apply when a business uses the technology to make a “significant decision”. The types of activities that constitute a “significant decision” have changed slightly as the rulemaking process has progressed. 

The current list of areas in which businesses can make a “significant decision” includes: 

1. Financial or lending services: Granting or denying credit or loans, transferring funds, providing deposit/checking accounts, check cashing, and offering instalment payment plans. 
2. Housing: Accepting or denying a consumer permanent or temporary residence in a “home, residence, or sleeping place”. Note that automated decisions about housing based solely on its availability or vacancy and successful receipt of payment are not considered significant decisions. 
3. Education enrollment or opportunities: Admission into academic or vocational programs, the awarding of educational credentials (like degrees or diplomas), and actions like suspension or expulsion. 
4. Employment or independent contracting opportunities or compensation: Hiring, the allocation or assignment of work, compensation, promotions, demotions, suspension, or termination. 
5. Healthcare services: Services for the diagnosis, prevention, or treatment of human disease or impairment, or the assessment and care of an individual’s health. 

Importantly, “significant decision” explicitly excludes advertising to a consumer. This significant amendment to the most recent draft of the regulations means that they no longer apply to businesses that are using ADMT for behavioral advertising. 

Specific rules for businesses engaged in “physical or biological profiling” have also been removed from the draft regulations. 

The ‘pre-use notice’

Providing a “pre-use notice” is one of several obligations on businesses that deploy ADMT. Broadly, the pre-use notice must disclose the business’s use of ADMT, explain how the ADMT works, and notify the consumer of their opt-out rights (see below). 

Since the first draft of the CPPA’s regulations, the rules around pre-use notices have changed in several ways: 

• Businesses are no longer required to explain “the logic used” or to provide “key parameters” involved in the ADMT. The business must still explain “how the (ADMT) processes personal information to make significant decisions…” 
• Businesses must disclose the types of outputs produced by the ADMT, how they are used to make significant decisions, and (if applicable) how humans may impact on the ADMT’s decisions. 
• Businesses must tell consumers what will happen if they exercise their right to opt out of ADMT—unless the fraud detection exception applies. 

The regulations explicitly do not require a pre-use notice to include trade secrets, and do not require a business to compromise its ability to protect personal information, detect fraud, or ensure physical safety. 

The most recent draft of the regulations also states that pre-use notices can be presented alongside other privacy disclosures required by the CCPA. 

Opt-out rights 

The circumstances in which—and extent to which—a business must enable a consumer to opt out of the use of ADMT have also narrowed considerably over the course of the CPPA’s redrafting process. 

In general, a business does not have to offer consumers the right to opt out of AMDT if it implements an appeals process allowing the consumer to request a human review of a significant decision.  

While earlier drafts required the human reviewer to be “qualified” to review the ADMT’s output, the most recent draft only requires the human reviewer to “know how to interpret and use the output.” 

Under the current draft of the regulations, provided certain conditions are met, businesses are no longer required to offer consumers an opt-out or an appeal process: 

• Using ADMT in workplace or educational contexts 
• Profiling consumers in public places 
• Training ADMT models  

Preparing for California’s ADMT regulations

The gradual softening of the CPPA’s regulations brings California’s proposed rules on ADMT closer in line with similar rules in other jurisdictions. 

While the current draft regulations are considerably narrower than previous iterations (and are also estimated to be considerably less costly), all CCPA-covered businesses should assess whether they will be affected. 

As it currently stands, the CPPA has set a deadline of 1 January 2027 for businesses to ensure they comply with the ADMT rules.