The California Privacy Protection Agency met Friday and advanced several regulations surrounding automated decisionmaking technology (ADMT) and data brokers, as well as announced the exit of Executive Director Ashkan Soltani.
Here’s what happened:
Automated Decisions
The privacy agency advanced to public comment a package of draft regulations governing companies’ use of automated decisions, but not before some board members signaled that they want to loosen the rules.
The regulations, now under formal rulemaking, are aimed at uncloaking automated decisions, which are increasingly being used to mysteriously decide who gets a job, college education, loan, or health care. There is no federal law forcing companies to allow consumers to opt out of their personal information being used in an automated decision, and California has led the way in safeguarding people’s data.
As the draft regs stand now, consumers have the right to be informed when a decision involving their personal information is made by ADMT, how the decision was reached, and the opportunity to opt out of its use. Companies will also have to submit risk assessments and audits. While the draft language stands to give consumers strong protections from automated decisions, exactly what constitutes an automated decision has been narrowed by the board in the past, and a debate is still playing out among the board over the regulation’s broadness.
Opposition to the rules has so far expectedly coalesced in the business community, who fear the draft language will be too costly and burdensome. It now has an unlikely ally on the privacy board in Alastair Mactaggart, the real estate developer who spearheaded the California Privacy Rights Act in the first place.
Serving as the lone dissenting vote to advance the rules, Mactaggart said the regulations were overbroad because they regulated technology and not tech. He used spreadsheets as an example.
“Using spreadsheets are not automated decisions, but using regression analysis is,” said Mactaggart. “So that technology was introduced in 1990, but now it will require businesses to do a risk assessment. And I think that’s a significant overreach.”
He also said that the rules would allow for consumers to “even opt out of contextual ads.”
“At some meaningful level this will break the Internet,” said Mactaggart. “We’re just going to wreak havoc and hurt privacy.”
Mactaggart suggested deleting Articles 10 and 11 of the draft regs, which specify when risk assessments and audits should be completed by businesses and what they require.
Board member Vinhcent Le, who previously disagreed with some of Mactaggart’s views on the regs and voiced concern that they might be too lenient, agreed with Mactaggart on some points.
“I don’t want risk assessments for a Booking.com reservation,” said Le. “I want to make sure when there is an opt out, it’s an important one.”
While the definition of an automated decision is broad, the law also narrows protections to important decisions, such as lending services, housing, insurance, education enrollment, criminal justice, employment, and health care. There are also several exemptions for tech, such as calculators, databases, and spreadsheets.
“Some examples I heard today would not be subject to those rules,” clarified privacy agency lawyer Philip Laird, but he didn’t name which ones.
The board also mulled whether to further narrow the draft language before sending to public comment, which would delay the process by nearly a year. The board has already amended and voted on the package of rules in a preliminary fashion a couple times before, as they’ve already been working on them for nearly two years.
Board member Jeffrey Worthe, maybe signaling similar sentiments of Mactaggart, asked, “Why should I be comforted if no changes have happened from a business perspective?”
“I don’t think we can just keep shooting at another target and get anything that is going to be more certain than what we can get from public comment,” said Board Chair Jennifer Urban.
Board member Drew Liebert basically agreed, and urged the board to let the process play out, instead of prematurely narrowing the options for the public.
“Sixty percent of Californians voted for the law,” said Liebert.
Referring to the official rulemaking and public comment period, “We certainly haven’t gotten there yet, have we?”
Public comment is now open for 45 days and is expected to run into January. The board is expected to finalize the regulations sometime during the first quarter of 2025.
Data Brokers
The agency adopted some clarifying regulations surrounding data brokers, including registration requirements, disclosure and the definition of key terms. These are regulations pursuant to the Delete Act, which went into effect this year and is aimed at giving Californians more control over their personal data from data brokers, who collect and sell data enormous amounts of data.
One of the things the agency did was expand the definition of a data broker. A business is still a data broker “if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.”
This way personal information that brokers get indirectly from third-parties, like other data brokers, is now captured under the law. In addition, you are a data broker in California if you keep personal information about a consumer who you have not interacted with for more than three years.
The regulations also require data brokers to disclose whether they collect reproductive health care data, including information about a person who searches or accesses goods or services such as contraception, fertility vitamins, hormone replacement therapy, and reproductive health apps, among others. These are common sense regulations which will empower people with more protections from a runaway data mining industry that profits off people’s most sensitive details.
The Agency is Looking for a New Leader
After three years on the job, CPPA Executive Director Ashkan Soltani will leave his job in January. A former technologist at the Federal Trade Commission, Soltani helped launch the privacy agency in 2021, building out enforcement and helping guide the rulemaking process. He didn’t disclose where he’ll be going, but Soltani said he expects to be active in the data privacy space. The privacy agency will have to ultimately confirm a successor.
Privacy In The News
Latest Privacy Report