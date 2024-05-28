The draft CCPA AI regulations have three key requirements. Organizations that use covered ADMT must issue pre-use notices to consumers, offer ways to opt out of ADMT, and explain how the business’s use of ADMT affects the consumer.

While the CPPA has revised the regulations once and is likely to do so again before the rules are formally adopted, these core requirements appear in each draft so far. The fact that these requirements persist suggests they will remain in the final rules, even if the details of their implementation change.

Pre-use notices

Before using ADMT for one of the covered purposes, organizations must clearly and conspicuously serve consumers a pre-use notice. The notice must detail in plain language how the company uses ADMT and explain consumers’ rights to access more information about ADMT and opt out of the process.

The company cannot fall back on generic language to describe how it uses ADMT, like “We use automated tools to improve our services.” Instead, the organization must describe the specific use.

The notice must direct consumers to additional information about how the ADMT works, including the tool’s logic and how the business uses its outputs. This information does not have to be in the body of the notice. The organization can give consumers a hyperlink or other way to access it.

If the business allows consumers to appeal automated decisions, the pre-use notice must explain the appeals process.

Opt-out rights

Consumers have a right to opt out of most covered uses of ADMT. Businesses must facilitate this right by giving consumers at least two ways to submit opt-out requests.

At least one of the opt-out methods must use the same channel through which the business primarily interacts with consumers. For example, a digital retailer can have a web form for users to complete.

Opt-out methods must be simple and cannot have extraneous steps, like requiring users to create accounts.

Upon receiving an opt-out request, a business must stop processing a consumer’s personal information using that automated decision-making technology within 15 days. The business can no longer use any of the consumer’s data that it previously processed. The business must also notify any service providers or third parties with whom it shared the user’s data.

Exemptions

Organizations do not need to let consumers opt out of ADMT used for safety, security, and fraud prevention. The draft rules specifically mention using ADMT to detect and respond to data security incidents, prevent and prosecute fraudulent and illegal acts, and ensure the physical safety of a natural person.

Under the human appeal exception, an organization need not enable opt-outs if it allows people to appeal automated decisions to a qualified human reviewer with the authority to overturn those decisions.

Organizations can also forgo opt-outs for certain narrow uses of ADMT in work and school contexts. These uses include:

Evaluating a person’s performance to make admission, acceptance, and hiring decisions.

Allocating tasks and determining compensation at work.

Profiling used solely to assess a person’s performance as a student or employee.

However, these work and school uses are only exempt from opt-outs if they meet the following criteria:

The ADMT in question must be necessary to achieve the business’s specific purpose and used only for that purpose.

The business must formally evaluate the ADMT to ensure that it is accurate and does not discriminate.

The business must put safeguards in place to ensure that the ADMT remains accurate and unbiased.

None of these exemptions apply to behavioral advertising or training ADMT. Consumers can always opt out of these uses.

The right to access information about ADMT use

Consumers have a right to access information about how a business uses ADMT on them. Organizations must give consumers an easy way to request this information.

When responding to access requests, organizations must provide details like the reason for using ADMT, the output of the ADMT regarding the consumer, and a description of how the business used the output to make a decision.

Access request responses should also include information on how the consumer can exercise their CCPA rights, such as filing complaints or requesting the deletion of their data.

Notification of adverse significant decisions

If a business uses ADMT to make a significant decision that negatively affects a consumer—for example, by leading to job termination—the business must send a special notice to the consumer about their access rights regarding this decision.

The notice must include:

An explanation that the business used ADMT to make an adverse decision.

Notification that the business cannot retaliate against the consumer for exercising their CCPA rights.

A description of how the consumer can access additional information about how ADMT was used.