by Hunton Andrews Kurth LLP

On November 27, 2023, the California Privacy Protection Agency (“CPPA”) published its draft regulations on automated decisionmaking technology (“ADMT”). The regulations propose a broad definition for ADMT that includes “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.” ADMT also would include profiling, which would mean the “automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

The proposed regulations would require businesses to provide a “Pre-use Notice,” which would inform individuals about a business’s use of ADMT and the right to opt-out of or access information about the ADMT in use. The Pre-use Notice must also explain the purpose behind using the ADMT in specific terms. In addition to the notice requirement, the proposed regulations would also allow individuals to opt out of uses of ADMT for decisions that produce legal or similarly significant effects or that involve profiling an individual (1) in their capacity as an employee, student, job applicant, or independent contractor; or (2) in a publicly accessible place. Under the proposed regulations, individuals also can exercise a right to access information about a business’s use of ADMT. Feedback by the CPPA Board on the proposed regulations is anticipated at the upcoming Board meeting. The CPPA is expected to begin formal rulemaking on the draft regulations in 2024.

This post first appeared on the firm’s blog.