Introduction
The California Privacy Protection Agency (CPPA) is advancing new regulations under the California Consumer Privacy Act (CCPA) to address automated decision-making technology (ADMT) [2], privacy risk assessments [2] [3] [4], and cybersecurity audits [1] [2] [3]. These proposed regulations aim to update existing CCPA provisions, impacting employers and data brokers significantly.
Description
On November 8, 2024 [1] [2], the California Privacy Protection Agency (CPPA) Board voted 4-1 to advance draft regulations related to the California Consumer Privacy Act (CCPA) [2], focusing on automated decision-making technology (ADMT) [1] [2] [3], privacy risk assessments [2] [3] [4], and cybersecurity audits [1] [2] [3], thereby initiating formal rulemaking [1]. These proposed regulations aim to update existing CCPA provisions and define ADMT as technology that processes personal information to execute or facilitate decisions, potentially replacing human judgment [1]. If implemented [1], the regulations would impose extensive requirements on employers utilizing AI tools for employment-related decisions [1], including hiring [1] [4], work allocation [1], compensation [1], promotions [1], and terminations [1].
Employers would be required to disclose their use of ADMT to employees [1], independent contractors [1], and job applicants [1], informing them of their right to opt-out and access information about the ADMT prior to processing personal data [1]. For significant employment decisions involving physical or biological identification [1], a bias review would be mandated to prevent discrimination against protected classes [1]. Significant decisions are defined to include those affecting access to critical services such as financial [4], housing [2] [4], insurance [4], education [3] [4], healthcare [4], and essential goods [3] [4]. However, it remains uncertain if these audits must be tailored to each employer [1]. The regulations also emphasize that significant decisions need clearer definitions, and the term “access to” should be eliminated from these definitions.
Additionally, the regulations would grant consumers the ability to opt-out of ADMT use and request human review of significant employment decisions [1]. Employers could deny opt-out requests for certain decisions if they can demonstrate that the ADMT has adequate accuracy and nondiscrimination safeguards [1]. Furthermore, essential goods and services require clarification to prevent unnecessary assessments [3], and the CPPA Board is expected to provide a comprehensive list of acceptable assessments from other jurisdictions to minimize duplication and compliance costs [3].
Employers would need to conduct and document annual privacy risk assessments before processing personal information that poses significant privacy risks [4], evaluating whether privacy risks outweigh benefits [1]. This requirement encompasses a wider range of processing activities compared to other states [4], including the sale or sharing of personal information and the handling of sensitive personal information [4]. The risk assessment must detail the purpose, processing methods [1], potential negative impacts [1], and safeguards [1], and must be submitted to the CPPA. Additionally, employers must conduct annual cybersecurity audits to ensure data protection measures are effective and address any identified gaps [1], with an independent auditor required for these audits [1].
Following the CPPA’s notice of proposed rulemaking [1], a public comment period of at least 45 days will commence [2], with expectations for the regulations to be published for public comment in early December 2024 [3]. The comment period is anticipated to extend through at least January 14, 2025, during which the CPPA will hold a public hearing on the proposed regulations. After reviewing comments, the CPPA may adjust the regulations, potentially necessitating additional comment periods depending on the nature of the changes made [2], likely resulting in modest changes before submitting them for final approval. The earliest possible effective date for the regulations is anticipated to be April 1, 2025. Businesses subject to the California Consumer Privacy Act (CCPA) should closely monitor the upcoming regulations and consider submitting comments during the formal rulemaking process [3].
In addition, the California Delete Act mandates that data brokers register annually with the CPPA and [2], starting August 1, 2026 [2], comply with consumer deletion requests through a centralized mechanism [2]. The proposed regulations clarify key definitions and establish registration requirements for data brokers [2], which may impact businesses that utilize third-party data in conjunction with their first-party customer relationships [2]. If approved, these regulations will take effect on January 1, 2025.
Conclusion
The proposed regulations by the CPPA represent a significant shift in how automated decision-making technology and data privacy are managed under the CCPA. Employers and data brokers will face new compliance requirements, potentially affecting their operational processes and data management practices. The public comment period offers an opportunity for stakeholders to influence the final regulations, which are expected to take effect in 2025. Businesses should prepare for these changes to ensure compliance and mitigate potential risks.
References
[1] https://www.jdsupra.com/legalnews/california-takes-steps-to-regulate-the-3241893/
[2] https://www.jdsupra.com/legalnews/cppa-board-advances-ccpa-regulations-to-5651380/
[3] https://www.wsgr.com/en/insights/californias-privacy-regulatory-odyssey-continues-formal-ccpa-rulemaking-on-the-horizon-amidst-expanded-data-broker-requirements.html
[4] https://www.jdsupra.com/legalnews/cppa-opens-public-comment-period-for-4117755/