CA Privacy Agency Advances Regulations, Might Loosen Rules on Automated Decisions

Published on

The California Privacy Protection Agency met Friday and advanced several regulations surrounding automated decisionmaking technology (ADMT) and data brokers, as well as announced the exit of Executive Director Ashkan Soltani.

Here’s what happened:
 
Automated Decisions

The privacy agency advanced to public comment a package of draft regulations governing companies’ use of automated decisions, but not before some board members signaled that they want to loosen the rules.

The regulations, now under formal rulemaking, are aimed at uncloaking automated decisions, which are increasingly being used to mysteriously decide who gets a job, college education, loan, or health care. There is no federal law forcing companies to allow consumers to opt out of their personal information being used in an automated decision, and California has led the way in safeguarding people’s data.  

As the draft regs stand now, consumers have the right to be informed when a decision involving their personal information is made by ADMT, how the decision was reached, and the opportunity to opt out of its use. Companies will also have to submit risk assessments and audits. While the draft language stands to give consumers strong protections from automated decisions, exactly what constitutes an automated decision has been narrowed by the board in the past, and a debate is still playing out among the board over the regulation’s broadness.

Opposition to the rules has so far expectedly coalesced in the business community, who fear the draft language will be too costly and burdensome. It now has an unlikely ally on the privacy board in Alastair Mactaggart, the real estate developer who spearheaded the California Privacy Rights Act in the first place.

Serving as the lone dissenting vote to advance the rules, Mactaggart said the regulations were overbroad because they regulated technology and not tech. He used spreadsheets as an example.

“Using spreadsheets are not automated decisions, but using regression analysis is,” said Mactaggart. “So that technology was introduced in 1990, but now it will require businesses to do a risk assessment. And I think that’s a significant overreach.”

He also said that the rules would allow for consumers to “even opt out of contextual ads.”

“At some meaningful level this will break the Internet,” said Mactaggart. “We’re just going to wreak havoc and hurt privacy.”

Mactaggart suggested deleting Articles 10 and 11 of the draft regs, which specify when risk assessments and audits should be completed by businesses and what they require.

Board member Vinhcent Le, who previously disagreed with some of Mactaggart’s views on the regs and voiced concern that they might be too lenient, agreed with Mactaggart on some points.

“I don’t want risk assessments for a Booking.com reservation,” said Le. “I want to make sure when there is an opt out, it’s an important one.”

While the definition of an automated decision is broad, the law also narrows protections to important decisions, such as lending services, housing, insurance, education enrollment, criminal justice, employment, and health care. There are also several exemptions for tech, such as calculators, databases, and spreadsheets.

“Some examples I heard today would not be subject to those rules,” clarified privacy agency lawyer Philip Laird, but he didn’t name which ones.

The board also mulled whether to further narrow the draft language before sending to public comment, which would delay the process by nearly a year. The board has already amended and voted on the package of rules in a preliminary fashion a couple times before, as they’ve already been working on them for nearly two years.

Board member Jeffrey Worthe, maybe signaling similar sentiments of Mactaggart, asked, “Why should I be comforted if no changes have happened from a business perspective?”

“I don’t think we can just keep shooting at another target and get anything that is going to be more certain than what we can get from public comment,” said Board Chair Jennifer Urban.

Board member Drew Liebert basically agreed, and urged the board to let the process play out, instead of prematurely narrowing the options for the public.

“Sixty percent of Californians voted for the law,” said Liebert.

Referring to the official rulemaking and public comment period, “We certainly haven’t gotten there yet, have we?”

Public comment is now open for 45 days and is expected to run into January. The board is expected to finalize the regulations sometime during the first quarter of 2025.
 
Data Brokers

The agency adopted some clarifying regulations surrounding data brokers, including registration requirements, disclosure and the definition of key terms. These are regulations pursuant to the Delete Act, which went into effect this year and is aimed at giving Californians more control over their personal data from data brokers, who collect and sell data enormous amounts of data.

One of the things the agency did was expand the definition of a data broker. A business is still a data broker “if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.”

This way personal information that brokers get indirectly from third-parties, like other data brokers, is now captured under the law. In addition, you are a data broker in California if you keep personal information about a consumer who you have not interacted with for more than three years.

The regulations also require data brokers to disclose whether they collect reproductive health care data, including information about a person who searches or accesses goods or services such as contraception, fertility vitamins, hormone replacement therapy, and reproductive health apps, among others. These are common sense regulations which will empower people with more protections from a runaway data mining industry that profits off people’s most sensitive details.
 
The Agency is Looking for a New Leader

After three years on the job, CPPA Executive Director Ashkan Soltani will leave his job in January. A former technologist at the Federal Trade Commission, Soltani helped launch the privacy agency in 2021, building out enforcement and helping guide the rulemaking process. He didn’t disclose where he’ll be going, but Soltani said he expects to be active in the data privacy space. The privacy agency will have to ultimately confirm a successor.

Justin Kloczko
Justin Kloczko
Justin Kloczko follows tech and privacy for Consumer Watchdog. He’s a recovering daily newspaper reporter whose work has also appeared in Vice, Daily Beast and KCRW.
Latest Privacy Videos
Video thumbnail
KTVU-SF (FOX) - San Francisco, CA: Several Tech Bills Head To Governor's Desk
06:12
Video thumbnail
Al Jazeera: Google antitrust law trial US court says google is a monopolist, violated law
02:17
Video thumbnail
Consumer Alert — National Data Breach
01:24
Video thumbnail
KTVU-SF (FOX) - San Francisco, CA: Calm App, Doordash Software Sued For Data Sharing
05:40
Video thumbnail
Consumer Alert: No Opt Out
00:49
Video thumbnail
KCAL-LA - Los Angeles, CA: Investigation Into California's Newborn DNA Database
03:39
Video thumbnail
Consumer Alert: Data Parasites
02:07
Video thumbnail
KCBS - Los Angeles, CA: California Biobank Stores Every Baby's DNA; Parents Had No Idea
04:26
Video thumbnail
Consumer Alert: Wall Street using AI
01:48
Video thumbnail
KCBA (FOX) CA: Clearview AI Is Creating An AI Facial Recognition Software That Violates Privacy Laws
00:35
Video thumbnail
KGO CA: Consumer Watchdog Calls Attorney General to Investigate Clearview AI For Violating State Law
03:06
Video thumbnail
KNTV-SF (NBC) - San Francisco, CA: Tesla Recalls Millions of Cars
02:29
Video thumbnail
Consumer Alert: Clearview AI
01:19
Video thumbnail
Californians Now Have More Power Over Their Data
01:07
Video thumbnail
KPIX CBS TV-5 San Francisco, CA: Your Car's Computer Could Be Tracking And Reporting Your Every Move
00:48
Video thumbnail
California Votes YES on Privacy- Prop 24
13:14
Video thumbnail
Rage For Justice Report Podcast- Prop 24 For Your Privacy
19:18
Video thumbnail
Consumer Watchdog Hacks Tesla
02:00
Video thumbnail
FOX KSWB: New Internet-Connected Cars Could Get Hacked
01:05
Video thumbnail
ABC: Kill Switch Report Highlights Widespread Hacking Vulnerability of Connected Cars
02:12
Video thumbnail
KTTV FOX: Consumer Watchdog Report Warns That Hackers Can Take Over Your Car
05:02
Video thumbnail
SPECNEWS1: Watchdog Warns Cars With Internet Connection Vulnerable to Hacking
00:37
Video thumbnail
KBCW: Connected Cars Pose Risk to Driver Safety Due to Hacking Vulnerability
02:31
Video thumbnail
ABC KGO: Whistleblower Engineers Warn Connected Cars Need A Kill Switch to Stop Hacking
02:10
Video thumbnail
KCAL: Alarming Watchdog Report Shows Connected Cars Are Vulnerable to Hacking
02:51
Video thumbnail
ABC KGTV: Report Says Internet-Linked Cars Are Vulnerable To Hackers
00:30
Video thumbnail
KTTV Fox 11: Consumer Watchdog Report Shows How Vulnerable Connected Cars Are To Dangerous Hacking
01:05
Video thumbnail
NBC: Watchdog Report Show Connected Cars Lack of Cybersecurity Put Drivers at Risk
03:38
Video thumbnail
CBS KGPE: Connected Cars Pose A Cybersecurity Risk
03:05
Video thumbnail
Fox WDAF: High-Tech Cars Put Drivers At Risk Of Hacking Interference
00:47
Video thumbnail
ABC WXYZ: Connected Cars Can Be Hacked Says Kill Switch Report
01:36
Video thumbnail
KTTV GDLA: US Senators Write NHTSA About Connected Car Concerns
01:17
Video thumbnail
FOX KPTV: Kill Switch Report Details Cybersecurity Issues With Internet Connected Cars
02:28
Video thumbnail
CBS LA: Kill Switch Study Finds Connected Cars Are Vulnerable to Hacking
01:41
Video thumbnail
FOX KTTV: Consumer Watchdog on Privacy Issues, Hacking Risks With Internet-Connected Toys
03:00
Video thumbnail
CBS Evening News With Norah O'Donnell: Jamie Court Explains the Value of CA's Consumer Privacy Act
02:04
Video thumbnail
WAFF TV-48 Alabama: Watchdog Report Highlights Car-Hacking Risks
03:16
Video thumbnail
ABC KFSN: Internet-Connected Vehicles At Risk Of Being Hacked Says New Watchdog Report
00:33
Video thumbnail
KPIX CBS: Connected Cars Need A Kill Switch To Stop Dangerous Hacking
02:31
Video thumbnail
KCAL: Kill Switch Report Warns of Hacking Risk For Connected Cars
01:29
Video thumbnail
KTLA: Consumer Watchdog Report Warns of Hacking Risk For Internet Connected Cars
01:05
Video thumbnail
CBS This Morning: "Movie Pass Engages in Deceptive Data Mining" Says Consumer Watchdog
03:09
Video thumbnail
California Passes Strictest Privacy Law in Nation - Rising Up w/Sonali
13:09
Video thumbnail
Consumer Watchdog Exposes
04:20
Video thumbnail
How Google backs Backpage Sex-Trafficking, Press Conference Pt. 1
14:55
Video thumbnail
How Google backs Backpage Sex-Trafficking, Press Conference Pt. 3
14:57
Video thumbnail
Amazon Prime? Or Amazon Slime?
01:22
Video thumbnail
KMAX CBS Sacramento: Amazon shows deceptive prices to trick consumers, says Consumer Watchdog
00:31
Video thumbnail
KABC Los Angeles: Anti-Child Sex Trafficking Groups Call Out Google's Backing of Backpage
02:11
Video thumbnail
KPIX-CBS, San Francisco: DMV Investigates Uber After Consumer Watchdog report
00:28

Privacy In The News

Latest Privacy Report

Support Consumer Watchdog

Subscribe to our newsletter

To be updated with all the latest news, press releases and special reports.