With around 20 tech bills being considered by legislators in Sacramento this year, the California Privacy Protection Agency has been keeping tabs on them, even sponsoring some of its own. But there are bills that it has taken issues with. The agency is caught in a moment where it is building out and beginning to enforce a major law, the California Consumer Privacy Act (CCPA), while lawmakers are trying to make new ones, many of which overlap with the CCPA.
During this week’s privacy meeting, the agency stopped short of supporting a bill regulating algorithms, Assembly Bill 2930, introduced by Rebecca Bauer-Kahan. The gist of the bill mandates that businesses show the Attorney General’s Office that their automated decision making technology (ADMT) is not biased or discriminatory.
But the privacy board deferred on supporting an amended version of the bill based on a mix of procedural and substantive grounds. The board sought enforcement and rulemaking authority in light of conflicting laws, as well as an expanded opt out definition.
First, a little history on the bill, which originally contained some red flags and was amended a number of times now. As has been pointed out, the bill was drafted with the help of tech companies like Workday, the corporate HR software company who circulated a confidential model bill with state lawmakers across the country earlier this year. Verbiage similar to the company’s model bill made it into ADMT bills in multiple states, including California. Some of the similar language contains a loophole that states regulations would only apply to an automated decision tool that has been, “specifically developed and marketed to, or specifically modified to be the controlling factor in making a consequential decision.”
With such language, companies could argue that their products were not “specifically” made to be factor in making a significant decision, such as a loan or college admission, thus freeing them from legal liability. That line was previously in Bauer-Kahan’s bill, and the privacy agency never took issue with it, but it has since been taken out. When the bill was introduced, a Workday lobbyist was quoted in the press release, who said Workday was “pleased to have contributed to its development.”
On Tuesday, privacy board members were set to vote on supporting the bill if amended with their recommendations. The recommendations include expanding the opt-out definition from fully automated decisions to cover decisions in which ADMTs played a substantial role, to tightening exemptions for impact assessments from public records requests. The agency also wants the law to clarify that if a company is performing an assessment under the purview of another law, then it would be in compliance if the same requirements are met. Lastly, and perhaps most importantly, the agency also wants to be given enforcement and rulemaking authority over the law.
“If this bill were to be adopted in its current form, a separate and overlapping set of requirements would apply for businesses covered by both AB 2930 and the CCPA,” wrote the agency in a memo. “This would cause a great deal of confusion and could make it difficult for businesses to comply. The problems will only get worse if AB 2930 is adopted and then amended in the future—creating the potential for further divergence and conflicting requirements.”
The bill has since been amended, but the agency is not fully satisfied with the amendments.
“Most of the suggestions have not been taken at this point,” Maureen Mahoney, the agency’s deputy director of policy and legislation, told the privacy board. “More work is needed.”
The law defines “Automated decision tool” as, “an artificial intelligence system or service that makes a consequential decision, or is a substantial factor in making consequential decisions.” The agency appears to have some enforcement authority regarding fines, but enforcement is generally handed to the Attorney General’s Office. It also says an impact assessment disclosed to the privacy agency would be exempt from public records.
The agency said more work is needed surrounding the opt out definition and risk assessment requirements.
But the back and forth between privacy board members turned into apprehension about the procedural nature of the bill, such as compliance issues.
“I’m a little uneasy about it,” said privacy board member Drew Liebert, who added he wants to be consumer friendly but is unsure about the bill’s future.
“To me that suggests a little more caution as to how we would proceed of being supportive of the measure,” he said.
The board ultimately stuck with a “wait-and-see approach.”
Another bill the agency previously suggested amendments to is Assembly Bill 1949 (Wicks), the bill expanding protections for minors whose data is collected by businesses. A key portion of that bill eliminated the so-called “knowledge standard” in which businesses didn’t have to actually do any work to know that collected data belongs to a minor. But the privacy agency voted to support the bill after declaring it should maintain the standard, or something in the alternative. One contention was that eliminating the standard would be bad for privacy because businesses would collect more data in order to verify that a consumer is minor. Others have contended that it doesn’t really matter because companies already suck up tons of data. The bill has since been amended to reinstate the knowledge standard. Both of these bills are now before Senate Appropriations.
