The California Privacy Protection Agency (CPPA) board recently voted on proposed amendments to regulations surrounding automated decisionmaking technology (ADMT), risk assessments, and privacy rules in California. The updated drafts of the ADMT and risk assessment regulations introduce significant changes from prior versions, focusing on enhancing protections for consumers using these technologies under the California Consumer Privacy Act (CCPA).
Key Updates:
1. Automated Decisionmaking, Profiling, and AI: The revised ADMT regulations aim to clarify triggers for businesses, outlining pre-use notice requirements, opt-out rights, and access requirements. New sections address physical or biological identification and profiling.
2. Risk Assessments: The CPPA emphasizes updated risk assessment requirements, including when businesses should conduct assessments, the necessary criteria, and submission methods to the CPPA.
3. Notable Updates: Proposed edits to existing CCPA regulations and further revisions to enhance privacy protections.
CPPA Board Vote Outcome:
While revisions to existing CCPA regulations were approved unanimously, the draft risk assessment and ADMT regulations received a divided 3-2 vote. Concerns were raised by dissenting members regarding potential regulatory overreach and effectiveness in advancing privacy interests. The board aims to gather feedback from external stakeholders before advancing the regulations further.
Future Steps:
Formal rulemaking processes are expected to begin later in the year, with final regulations not projected until 2025. Companies utilizing ADMTs, particularly in behavioral advertising, are encouraged to provide input on the proposed updates to ensure compliance.
Overall, the CPPA’s efforts to strengthen regulations around ADMT, risk assessments, and privacy reflect a proactive approach to safeguarding consumer data and privacy rights in California’s evolving digital landscape.
