The California Privacy Protection Agency has approved new regulations relating to businesses’ use of automated decisionmaking technology (ADMT). These regulations impact employers who are subject to the California Consumer Privacy Act and who engage in the following:
- Uses ADMT to make a “significant decision” concerning a consumer.
- “Significant decisions” are decisions that have important consequences for consumers (e.g., decisions to provide or deny financial services, housing, insurance, educational or employment opportunities, healthcare services, or essential goods or services like groceries, medicine, or fuel).
- “Significant decisions” are decisions that have important consequences for consumers (e.g., decisions to provide or deny financial services, housing, insurance, educational or employment opportunities, healthcare services, or essential goods or services like groceries, medicine, or fuel).
- Uses ADMT for “extensive profiling.”
- “Extensive profiling” includes analyzing consumers’ personality, interests, behavior, or location in their workplace, at school (“work/educational profiling”), or in public places (e.g., using facial-recognition technology in a store to identify potential shoplifters) (“public profiling”), or to target ads to them (“profiling for behavioral advertising”).
- “Extensive profiling” includes analyzing consumers’ personality, interests, behavior, or location in their workplace, at school (“work/educational profiling”), or in public places (e.g., using facial-recognition technology in a store to identify potential shoplifters) (“public profiling”), or to target ads to them (“profiling for behavioral advertising”).
- Uses personal information to train ADMT that could be used in the following ways:
- To identify people (e.g., facial-recognition technology);
- For physical or biological identification or profiling (e.g., analyzing people’s facial expressions or gestures to infer their emotional state);
- To make significant decisions; or
- To generate deepfakes (e.g., fake images of real people that are presented as truthful or authentic)
Effective January 1, 2027, a covered business must provide the consumer with:
- A Pre-use Notice about its use of ADMT, which would have to include:
- Why the business wants to use the ADMT;
- How the ADMT would work (such as the key factors that affect its output, and how the business would use the output to make a decision about the consumer); and
- That the consumer has CCPA rights (to opt-out of ADMT and to access information about the ADMT), how they could exercise them, and that the business cannot retaliate against them for exercising those rights
- An easy way for the consumer to opt-out of the business’s use of ADMT, unless an exception applies.
- If a consumer opted out, the business would not be allowed collect, use, disclose, retain, or otherwise process the consumer’s personal information using that ADMT.
- If a consumer opted out, the business would not be allowed collect, use, disclose, retain, or otherwise process the consumer’s personal information using that ADMT.
- If a consumer did not opt-out, the business also would have to give them an easy way to access information about how the business used the ADMT with respect to them. (This requirement wouldn’t apply to a business’s use of personal information for training ADMT.)
Risk assessments are already required under the CCPA regulations, but covered employers must now also must conduct a risk assessment before using ADMTs. For risk assessments conducted in 2026 and 2027, the business must submit assessment reports no later than April 1, 2028.
The regulations also require cybersecurity reports from covered businesses. A business must complete its first cybersecurity audit report no later than:
- April 1, 2028, if the business’s annual gross revenue for 2026 was more than one hundred million dollars ($100,000,000) as of January 1, 2027. The business’s audit would cover the period from January 1, 2027, through January 1, 2028.
- April 1, 2029, if the business’s annual gross revenue for 2027 was between fifty million dollars ($50,000,000) and one hundred million dollars ($100,000,000) as of January 1, 2028. The business’s audit would cover the period from January 1, 2028, through January 1, 2029.
- April 1, 2030, if the business’s annual gross revenue for 2028 was less than fifty million dollars ($50,000,000). The business’s audit would cover the period from January 1, 2029, through January 1, 2030.
You can access the regulations here, and a helpful fact sheet here.