California’s Privacy Protection Agency (CPPA) introduced proposed regulations this past November to further protect consumers when their personal information is used in automated profiling. These proposed regulations will facilitate public comment; none of these are in effect.
The attempts by the CPPA to regulate artificial intelligence (AI) and other automated decision-making technologies (ADMT) will have consequential effects on the businesses that use AI to process job and credit applications, compensation decisions, and profiling.
The business law professionals at Hakim Law Group in Los Angeles want to explain what has been proposed by the CPPA and the effects on the operations of certain businesses.
It is important to note that public comment and the rulemaking process are not complete. Both are cumbersome, and it is safe to predict that the regulations will not be final and enacted before 2025.
The Definition of Consumer
The regulations proposed by the CPPA define “consumers” as California residents. This definition includes employees, those seeking employment, and all individuals within the employment and business context.
The Protections
The CPPA is looking to regulate the use of ADMT and the risks to California’s residents. Under the proposed regulations, these protections are the:
- notice before use,
- opt-out right,
- access to information, and
- assessments of risk.
These protections will be extended to all consumers whose personal information is subject to any ADMT to evaluate or profile any aspect of a consumer. The technologies are used to predict a person’s performance, attributes, health, and economic situations.
Let’s be clear—the consumer does not always provide personal information. This information can be mined from keystrokes, web browsing, facial and speech recognition, and social media platforms.
The CPPA seeks to protect California’s residents with the proper notices before any technology is used and offers remedies in cases of misinterpretation and discriminatory results.
The Proposed Regulations
The protections listed above are the goals within the proposed regulations. It is important to understand that the protections to consumers place the onus upon businesses to supply them. The businesses processing personal information must supply the pre-use notice, opt-out rights, access to information, and a plain English explanation of the technology used.
Companies must have the procedures in place to respond to a consumer’s request and the CPPA’s requirement for a risk assessment.
Notice Prior to Use
This notice must be given in advance of any processing. The goal is transparency. A consumer has the right to know the intended use of the output and how the business evaluated the use of any ADMT for fairness, validity, and accuracy.
Opt-Out Right
This right extended to consumers will not be all-encompassing and unilateral. There will be exceptions. Thus far, these exceptions are for instances where fraud or illegal actions against a company could be prevented, and where no reasonable alternative exists for processing personal information.
Consumers should be able to opt out of profiling when in places of public access, like surveillance methods, Bluetooth, Wi-Fi, and other tracking technologies.
Again, this is all conceptual to generate public input. There needs to be conversations about how a consumer would submit an opt-out request.
Right to Access Information
A consumer’s right to access information would trigger when denied employment, higher compensation, or the availability of credit, goods, and services. The information must contain the logic assumptions and explain any limitations specific to the consumer.
There will be avenues to contest the ADMT-made decisions, but whether any complaint is submitted to the CPPA or California’s Attorney General has not been vetted.
Risk Assessment
All businesses that process personal information must conduct and submit a risk assessment report to the CPPA or a designated State agency. The subject of this report is the consumer’s privacy risks. There are no given parameters as to which companies would be burdened with conducting the assessment nor how it would be evaluated when received.
The burden of any consumer protection falls on businesses. It remains to be seen whether limitations will be placed upon these protections and how companies will be mandated to offer and respond to a request or a complaint.
For now, it is in the best interest of all California employers to consider the impact of these proposed regulations on current policies and procedures.
If you own or lead a business that uses ADMTs to process personal information, then you need the experience of a business law firm in Los Angeles specializing in AI and privacy laws promulgated by the CPPA.
Hakim Law Group is ready to advise and help all business leaders. Our team of skilled and highly experienced business lawyers in Los Angeles have worked at top-tier international law firms and has served as general counsel to major companies. This high level of diverse legal and business experience is paramount to our boutique approach.
For further information or to schedule an appointment, please contact The Hakim Law Group at 310.993.2203 or visit www.HakimLawGroup.com to learn more.