More and more, AI is making decisions for us without us evening knowing it. On Monday, the California Privacy Protection Agency (CPPA) released draft language for business compliance regarding automated decisionmaking (ADM). Overall, they are a strong start that give people more power over their personal information in areas where discrimination has been proliferating. The regulations also provide a much-needed notice to consumers informing them about their opt-out and disclosure rights.
Here is a breakdown of what the regulations say:
What Counts as Automated Decisionmaking?
The agency’s definition of automated decisionmaking technology is pretty broad:
“Automated Decisionmaking Technology means any system, software, or process—including one derived from machine-learning, statistics, or other data processing or artificial intelligence techniques—that process personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking. ADMT includes profiling.”
Further, the agency said ADM means a, “Decision that produces legal or similarly significant effects concerning a consumer.” Those effects include access to, or denial of:
- Financial or lending services
- Housing
- Insurance
- Education enrollment or opportunity
- Criminal justice
- Employment or independent contracting opportunities or compensation
- Healthcare services
- essential goods or services
So if a potential employer is using AI during the hiring process, it will be within your rights to know more about the AI’s logic and be able to opt out of that hiring algorithm.
Further, if a business is using ADM to profile an employee, freelancer, job applicant or employee, an opt-out right must be provided.
“For example, this includes profiling an employee using keystroke loggers, productivity or attention monitors, video or audio recording or live-streaming, facial- or speech- recognition or -detection, automated emotion assessment, location trackers, speed trackers, and web-browsing, mobile-application, or social-media monitoring tools.”
Business cannot profile people in public places without providing an opt-out right. The agency lists wi-fi, Bluetooth, audio, video or facial recognition recording as profiling mechanisms. And businesses that knowingly profile for behavioral advertising purposes those under the age of 16 must also be given the opt-out right. The regs note that the board will discuss this part of the law more.
Notice Rights
The preliminary draft rules teased earlier this year were silent on any sort of notice mechanism that entities must use to alert consumers about their ADM rights. That has changed with today’s draft language, which states a business has to tell consumers that it uses ADM, details about its logic, and a chance to opt out of it. It’s one of the more notable portions of the draft regulations. The agency is calling this a “Pre-Use Notice” that must be presented before the business collects personal information. The notice must include:
- “Plain language explanation of the purpose for which the business proposes to use the automated decisionmaking technology.” But businesses can’t just say the reason is, ‘to improve our services,’ because that doesn’t help the average consumer understand the business’s proposed purpose for using the automated decisionmaking technology.
- Information on how to submit an opt-out request for ADM and accessing information about the business’ use of ADM. This includes the logic behind a decision, intended outcome, and whether a decision has been evaluated for validity. Further, if a ADM is used to deny employment or lower compensation, a consumer has a right to know how that decision was reached and have the chance to file a complaint, even if a request wasn’t made.
- An opt-out link, but what that link will say has yet to be determined.
The regulations also state that requests to opt-out of the business’s use of the automated decisionmaking technology should be easy for consumers to execute and should require minimal steps. A business must wait 12 months after an opt-out request to ask to opt back in. And if an opt-out request is made after information has already been collected, a business has 15 days to stop processing the personal information. If the request is made before, then a business can’t start processing the information.
Exemptions
A business doesn’t have to comply with opt-out requests if its ADM technology is used to:
- Stop “fraudulent, or illegal actions directed at the business.”
- “Protect the life and physical safety of consumers.”
- Provide service requested by consumers.
There’s a bit of a worry that companies will say they can’t provide a service as a way to skirt the law. However, regarding the requested service exemption, the regulations also note a business would be required to document the fact that there is no “reasonable alternative method” to deliver the service without AI. Businesses must also demonstrate, “(1) the futility of developing or using an alternative method of processing; (2) an alternative method of processing would result in a good or service that is not as valid, reliable, and fair; or (3) the development of an alternative method of processing would impose extreme hardship upon the business”.
Avoiding Loopholes
The agency has declined to side with businesses groups who requested the agency narrow opt-out rights to only fully automated decisions. It appears that by saying “whole or part of system to make or execute a decision or facilitate human decisionmaking,” businesses can’t use humans as a loophole to greenlight a decision without doing the appropriate work. Partial automated systems should be included to close this potential loophole. The GDPR, for example, did not include “partial” automated decisions.