CA Privacy Agency Debates Scope of Automated Decisions, Proposes Opt Out Preference Signal Legislation

Published on

The state’s top data privacy enforcer, the California Privacy Protection Agency (CPPA), has voted on to send a package of rules surrounding data cyber security audits to public comment while sending regulations for risk assessments and automated decisions back to subcommittees. It also voted to create a legislative proposal to make it easier for Californians to opt out of the sale and sharing of their personal information.

In other privacy news, Consumer Watchdog authored a report on how ClearviewAI, the controversial facial recognition AI, is violating the CCPA, and called on the privacy agency to enforce the opt-out requirement under the California Consumer Privacy Act (CCPA). Read the report and letter to the agency here. Watch a new consumer alert video here.
 
Here’s what happened during the privacy agency’s Dec. 8 meeting:
 
 
A Bid to Make Opting Out Easier
 
Under the CCPA, businesses must allow for Californians to globally opt out of the sharing and selling of their personal information, but most browsers don’t offer these signals. A unanimous vote put forward a legislative proposal that would make California the first state in the country to require browser vendors to offer a global opt out. Such a law would make it a lot easier for people to exercise control of the sale and use of personal information, instead of individually submitting requests to the many businesses we come across online. The process takes a lot of much time and deters people from exercising their rights. The agency is looking for someone to sponsor a bill.
 
The privacy agency said that over 90 percent of the browser market is dominated by Google Chrome, Microsoft Edge and Apple Safari, and that these companies have declined to offer such opt out signals.
 
“If approved through the California legislative process, this proposal will not only advance Californians’ consumer privacy, but help incentivize the development of privacy-enhancing technologies,” said CPPA Executive Director Ashkan Soltani.
 
 
Audits
 
Board members sent regulations for cyber security audits to the 45-day public comment period. Businesses that process the personal information of 250,000 consumers or households in a year will have to submit audits within two years of the regulation being effective, and each year after that. The purpose is to show the public how businesses are safeguarding the processing of people’s personal information. The thresholds also include businesses that collect the sensitive personal information of at least 50,000 consumers, and at least 50,000 people known to a business of having less than 16 years of age.
 
But the board still wants to know more from the state and businesses about a monetary threshold that would also trigger an audit. Initially the regulations required that businesses generating at least $25 million in revenue to submit an audit, but that provision has been struck in draft regulations. The statute sets the threshold at $25 million in revenue or buying, selling or sharing the personal information of at least 100,000 people.
 
“We are looking at ways to better refine minimum monetary thresholds as well as amount of personal information processing a given firm does,” said privacy agency attorney Philip Laird. “The plan is to further refinance as we do economic assessment.”
 
 
Scope of Automated Decisions
 
Board members discussed the recent release of regulations surrounding the rights Californians have over their personal data and automated decision-making technology (ADMT). Specifically, the board discussed the scope of what will constitute ADMT. Privacy board member Alastair Mactaggart expressed his “concern” about the “breadth of the definition” of ADMT. He said the agency should be less concerned about, for example, why an algorithm assigns a customer a certain Doordash driver, and more concerned about who is getting healthcare or not. ADMT monitoring of work performance isn’t as important as things such as union activity or expensive health care costs that companies might factor into layoffs, for example.
 
“We’re a privacy agency and not an HR agency,” said Mactaggart.

Businesses have worried the ADMT regs will broadly capture every day ADMT such as calculators and have pushed back against them.

Kristen Anderson, an agency attorney, said not all automated decision fall into the law’s scope.

“While the definition is broad, a business’ obligation depends on whether thresholds are met.”

The current regs define ADMT as a, “Decision that produces legal or similarly significant effects concerning a consumer” and “results in access to, or the provision or denial of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.”

Profiling, which is also included, is defined as, “any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

If a business is using ADM to profile an employee, freelancer, job applicant or employee, an opt-out right must be provided. A business wouldn’t be able to profile people in public without giving an opt out right.

Members agreed that the ADMT definition will benefit from input from the public.

“You have a lot of power as a business,” said board member Vinhcent Le, who is part of the subcommittee drafting ADMT regs. “Now that you have all this power, we want to see that you’re using it responsibly. That is the goal of a lot of these regulations.”

Justin Kloczko
Justin Kloczko
Justin Kloczko follows tech and privacy for Consumer Watchdog. He’s a recovering daily newspaper reporter whose work has also appeared in Vice, Daily Beast and KCRW.

Latest Privacy Videos

Video thumbnail
KCBS - Los Angeles, CA: California Biobank Stores Every Baby's DNA; Parents Had No Idea
04:26
Video thumbnail
Consumer Alert: Wall Street using AI
01:48
Video thumbnail
KCBA (FOX) CA: Clearview AI Is Creating An AI Facial Recognition Software That Violates Privacy Laws
00:35
Video thumbnail
KGO CA: Consumer Watchdog Calls Attorney General to Investigate Clearview AI For Violating State Law
03:06
Video thumbnail
KNTV-SF (NBC) - San Francisco, CA: Tesla Recalls Millions of Cars
02:29
Video thumbnail
Consumer Alert: Clearview AI
01:19
Video thumbnail
Californians Now Have More Power Over Their Data
01:07
Video thumbnail
KPIX CBS TV-5 San Francisco, CA: Your Car's Computer Could Be Tracking And Reporting Your Every Move
00:48
Video thumbnail
California Votes YES on Privacy- Prop 24
13:14
Video thumbnail
Rage For Justice Report Podcast- Prop 24 For Your Privacy
19:18
Video thumbnail
Consumer Watchdog Hacks Tesla
02:00
Video thumbnail
FOX KSWB: New Internet-Connected Cars Could Get Hacked
01:05
Video thumbnail
ABC: Kill Switch Report Highlights Widespread Hacking Vulnerability of Connected Cars
02:12
Video thumbnail
KTTV FOX: Consumer Watchdog Report Warns That Hackers Can Take Over Your Car
05:02
Video thumbnail
SPECNEWS1: Watchdog Warns Cars With Internet Connection Vulnerable to Hacking
00:37
Video thumbnail
KBCW: Connected Cars Pose Risk to Driver Safety Due to Hacking Vulnerability
02:31
Video thumbnail
ABC KGO: Whistleblower Engineers Warn Connected Cars Need A Kill Switch to Stop Hacking
02:10
Video thumbnail
KCAL: Alarming Watchdog Report Shows Connected Cars Are Vulnerable to Hacking
02:51
Video thumbnail
ABC KGTV: Report Says Internet-Linked Cars Are Vulnerable To Hackers
00:30
Video thumbnail
KTTV Fox 11: Consumer Watchdog Report Shows How Vulnerable Connected Cars Are To Dangerous Hacking
01:05
Video thumbnail
NBC: Watchdog Report Show Connected Cars Lack of Cybersecurity Put Drivers at Risk
03:38
Video thumbnail
CBS KGPE: Connected Cars Pose A Cybersecurity Risk
03:05
Video thumbnail
Fox WDAF: High-Tech Cars Put Drivers At Risk Of Hacking Interference
00:47
Video thumbnail
ABC WXYZ: Connected Cars Can Be Hacked Says Kill Switch Report
01:36
Video thumbnail
KTTV GDLA: US Senators Write NHTSA About Connected Car Concerns
01:17
Video thumbnail
FOX KPTV: Kill Switch Report Details Cybersecurity Issues With Internet Connected Cars
02:28
Video thumbnail
CBS LA: Kill Switch Study Finds Connected Cars Are Vulnerable to Hacking
01:41
Video thumbnail
FOX KTTV: Consumer Watchdog on Privacy Issues, Hacking Risks With Internet-Connected Toys
03:00
Video thumbnail
CBS Evening News With Norah O'Donnell: Jamie Court Explains the Value of CA's Consumer Privacy Act
02:04
Video thumbnail
WAFF TV-48 Alabama: Watchdog Report Highlights Car-Hacking Risks
03:16
Video thumbnail
ABC KFSN: Internet-Connected Vehicles At Risk Of Being Hacked Says New Watchdog Report
00:33
Video thumbnail
KPIX CBS: Connected Cars Need A Kill Switch To Stop Dangerous Hacking
02:31
Video thumbnail
KCAL: Kill Switch Report Warns of Hacking Risk For Connected Cars
01:29
Video thumbnail
KTLA: Consumer Watchdog Report Warns of Hacking Risk For Internet Connected Cars
01:05
Video thumbnail
CBS This Morning: "Movie Pass Engages in Deceptive Data Mining" Says Consumer Watchdog
03:09
Video thumbnail
California Passes Strictest Privacy Law in Nation - Rising Up w/Sonali
13:09
Video thumbnail
Consumer Watchdog Exposes
04:20
Video thumbnail
How Google backs Backpage Sex-Trafficking, Press Conference Pt. 1
14:55
Video thumbnail
How Google backs Backpage Sex-Trafficking, Press Conference Pt. 3
14:57
Video thumbnail
Amazon Prime? Or Amazon Slime?
01:22
Video thumbnail
KMAX CBS Sacramento: Amazon shows deceptive prices to trick consumers, says Consumer Watchdog
00:31
Video thumbnail
KABC Los Angeles: Anti-Child Sex Trafficking Groups Call Out Google's Backing of Backpage
02:11
Video thumbnail
KPIX-CBS, San Francisco: DMV Investigates Uber After Consumer Watchdog report
00:28
Video thumbnail
KFMB CBS 8, San Diego: Amazon Prime Day Deals? Consumer Watchdog Says Beware
01:58
Video thumbnail
Asking about I AM JANE DOE at Google Shareholder Meeting
03:33
Video thumbnail
KNBC Los Angeles: Liza Tucker weighs in on regulators' failure to test camp for toxic waste
06:42
Video thumbnail
KNBC Los Angeles: Consumer Watchdog shows how Google helped fund defense of Backpage
01:58
Video thumbnail
KIRO CBS 7, Seattle, WA: Consumer Watchdog: Amazon Uses Fake "List Prices" to Trick Consumers
00:44
Video thumbnail
"I Am Jane Doe" introduction
01:42

Latest Privacy Releases

Privacy In The News

Latest Privacy Report

Support Consumer Watchdog

Subscribe to our newsletter

To be updated with all the latest news, press releases and special reports.

More Privacy Releases