Businesses would be required to provide consumers with detailed information about their plans to use automated decisionmaking technology under draft California regulations released this week.
Organizations would also have to provide consumers with the ability to opt out of their use of such automated technologies that are often powered by AI.
The draft regulations define automated decisionmaking technology as any system, software, or process “that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.”
Businesses have been reported to use automated technology to assist with decisions in employment, housing and banking contexts, among others.
The proposed automated decisionmaking regulations were released Monday by the California Privacy Protection Agency and will be reviewed by the agency’s board at its Dec. 8 meeting. Formal rulemaking is expected to begin next year, the agency said.
“These draft regulations support the responsible use of automated decisionmaking while providing appropriate guardrails with respect to privacy, including employees’ and children’s privacy,” said Vinhcent Le, a California privacy agency board member, in a press release.
The regulations would require businesses to provide “Pre-use Notices” to let consumers know how the business proposes to utilize so-called ADMT.
The explanation of the purpose for which the business wants to use the technology must be specific rather than generic and use plain language.
The notices should also contain an easy method by which a consumer can obtain additional information about the business’ use of ADMT.
The extra information should include the logic used in the technology and the intended output. A business must describe how it plans to use the output to make a decision, including the role of any human involvement.
Additionally, a business must highlight whether its use of ADMT “has been evaluated for validity, reliability, and fairness, and the outcome of any such evaluation.”
Consumers can review the information provided by businesses to decide whether to opt out of the use of ADMT.
The draft regulations list three types of ADMT uses for which a business must provide consumers with the ability to opt out.
The first is for a decision “that produces legal or similarly significant effects concerning a consumer.”
These decisions are ones that result in “access to, or the provision or denial of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.”
The second ADMT use listed in that section is profiling a consumer “who is acting in their capacity as an employee, independent contractor, job applicant, or student.”
The draft regulations define profiling as any form of automated processing of personal information to evaluate certain personal aspects, including to analyze or predict aspects concerning a person’s performance at work.
Businesses also must provide consumers with the ability to opt out of using ADMT to profile them while they are in a publicly accessible place using Wi-Fi or Bluetooth tracking, among other technology.
There are three other options provided for board discussion, including providing an opportunity to opt out of profiling a consumer for behavioral advertising or profiling a consumer the business knows is under the age of 16.
David Stauss, a Husch Blackwell partner, highlighted in a blog post that the proposed regulations apply to the automated processing of some types of employee information such as keystroke loggers, productivity or attention monitors and web-browsing.
“Businesses with California employees would need to take a close look at their employee data collection activities to ensure compliance,” Stauss wrote on the Byte Back blog.
He also said that allowing employees to opt out of their employers’ use of ADMT for profiling is notable.
The regulations lay out several uses of ADMT for which businesses are not required to provide consumers with an ability to opt-out.
The exceptions include using the technology “to prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information.”
Other exceptions are using ADMT “to protect the life and physical safety of consumers” and “to provide the good or perform the service specifically requested by the consumer.”
Additionally, the technology can be used without an opt-out option “to resist malicious, deceptive, fraudulent, or illegal actions directed at the business.”
As part of consumers’ rights to access, businesses would be required to provide various information to consumers about the use of ADMT for processing activities.
This includes a mandate to let consumers know if a business has made a decision that results in the denial of goods or services as set forth in the regulations. This could include denying an employment opportunity or lowering an employee’s compensation.
Businesses would need to detail how they used the output from automated technology to make a decision with respect to the consumer and any factors other than the output that the business used to make the decision, among other information.