California Moves Closer to Regulations on Automated Decision-Making Technology
23 APRIL 2024 | Zac Soto
In recent months, the California Privacy Protection Agency (“CPPA”) has taken significant strides towards regulating the use of automated decision-making technology (“ADMT”), marking a pivotal moment in the evolution of privacy protection laws. With the CPPA’s recent move toward formalizing proposed regulations regarding ADMT (see an overview of proposed rule revisions here), California once again positions itself at the forefront of creating regulatory regimes at the intersection of data privacy and consumer protection, and businesses would do well to monitor how eventual legislation is beginning to take shape.
- Enhanced definitions to clarify the types of technologies considered to be ADMT (including technologies that “replace human decision-making, or substantially facilitate human decision-making.”)
- Revised risk assessment requirements, including thresholds for when businesses must conduct risk assessments and specifications for submission materials. These thresholds include when businesses sell or share personal information, process sensitive personal information, use ADMT for “significant decisions” (including those involving the provision of many education, employment, healthcare or other essential services), and when ADMT may be used to identify and exploit certain key individual elements (such as the use of identifying information in certain generative technologies).
- Imposition of requirements on businesses regarding pre-use notices, opt-out mechanisms, and consumer access to information about ADMT usage, including information regarding the parameters and logic used in ADMT.
California Moves Closer to Regulations on Automated Decision-Making Technology
23 APRIL 2024 | ZAC SOTO
In recent months, the California Privacy Protection Agency (“CPPA”) has taken significant strides towards regulating the use of automated decision-making technology (“ADMT”), marking a pivotal moment in the evolution of privacy protection laws. With the CPPA’s recent move toward formalizing proposed regulations regarding ADMT (see an overview of proposed rule revisions here), California once again positions itself at the forefront of creating regulatory regimes at the intersection of data privacy and consumer protection, and businesses would do well to monitor how eventual legislation is beginning to take shape.
- Enhanced definitions to clarify the types of technologies considered to be ADMT (including technologies that “replace human decision-making, or substantially facilitate human decision-making.”)
- Revised risk assessment requirements, including thresholds for when businesses must conduct risk assessments and specifications for submission materials. These thresholds include when businesses sell or share personal information, process sensitive personal information, use ADMT for “significant decisions” (including those involving the provision of many education, employment, healthcare or other essential services), and when ADMT may be used to identify and exploit certain key individual elements (such as the use of identifying information in certain generative technologies).
- Imposition of requirements on businesses regarding pre-use notices, opt-out mechanisms, and consumer access to information about ADMT usage, including information regarding the parameters and logic used in ADMT.
California Moves Closer to Regulations on Automated Decision-Making Technology
23 APRIL 2024 | ZAC SOTO
In recent months, the California Privacy Protection Agency (“CPPA”) has taken significant strides towards regulating the use of automated decision-making technology (“ADMT”), marking a pivotal moment in the evolution of privacy protection laws. With the CPPA’s recent move toward formalizing proposed regulations regarding ADMT (see an overview of proposed rule revisions here), California once again positions itself at the forefront of creating regulatory regimes at the intersection of data privacy and consumer protection, and businesses would do well to monitor how eventual legislation is beginning to take shape.
- Enhanced definitions to clarify the types of technologies considered to be ADMT (including technologies that “replace human decision-making, or substantially facilitate human decision-making.”)
- Revised risk assessment requirements, including thresholds for when businesses must conduct risk assessments and specifications for submission materials. These thresholds include when businesses sell or share personal information, process sensitive personal information, use ADMT for “significant decisions” (including those involving the provision of many education, employment, healthcare or other essential services), and when ADMT may be used to identify and exploit certain key individual elements (such as the use of identifying information in certain generative technologies).
- Imposition of requirements on businesses regarding pre-use notices, opt-out mechanisms, and consumer access to information about ADMT usage, including information regarding the parameters and logic used in ADMT.