California's draft 'ADMT' regulations: Scope and application
Posted: December 8, 2023
The California Privacy Protection Agency (CPPA) got new powers under the California Privacy Rights Act (CPRA) to create regulations pertaining to “Automated Decision-Making Technology” (ADMT).
These new rules represent an early step towards meaningful private-sector AI regulation in the US. The first draft of the CPPA’s regulations arrived on 28 November 2023 and will affect many types of AI-driven processes and profiling activities.
The regulations will impact many businesses covered by the California Consumer Privacy Act (CCPA). This article, the first of three parts, examines what types of activities the draft regulations cover.
What are ADMT and Profiling?
The draft regulations provide some broad definitions that would likely capture the activities of thousands of businesses.
Here are two of the draft regulations’ four definitions. We’ll address the other two in the appropriate sections below.
- Automated Decision-Making Technology: “Any system, software, or process – including one derived from machine-learning, statistics, or other data-processing or artificial intelligence – that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making. Automated decision-making technology includes profiling.”
- Profiling: “Any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”
In other words…
- “ADMT” means any system that facilitates (even partly) automated or AI-driven decisions based on personal information.
- “Profiling” means the automated or AI-driven processing of personal information to analyze a person’s characteristics or behavior in certain contexts.
In adopting these definitions, the CPPA has been strongly influenced by Article 22 of the EU and UK General Data Protection Regulation (GDPR). But the CPPA’s conception of automated decision-making is arguably even broader than the EU’s.
What uses of ADMT are covered by the regulations?
The proposed rules only apply to businesses engaged in certain uses of ADMT, which are listed in Section 7030 (b) of the draft regulations.
Here are the covered activities, annotated with explanations and definitions.
Decisions with legal or similarly significant effects
A business has obligations under the CPPA’s regulations if it uses ADMT for “a decision that produces legal or similarly significant effects concerning a consumer.”
An automated decision has “legal or similarly significant effects” if it results in access to, or the provision or denial of, services in the following areas:
- Financial or lending services
- Housing
- Insurance
- Education enrollment or opportunity
- Criminal justice
- Employment
- Independent contracting opportunities or compensation
- Healthcare services
- Essential goods or services
Profiling employees, contractors, applicants, and students
The CPPA’s regulations cover a business that profiles “a consumer who is acting as an employee, independent contractor, job applicant, or student.”
The CCPA is a particularly powerful privacy law because, unlike every other US state comprehensive privacy law, the CCPA protects employees (etc.) as “consumers”.
The regulations provide a non-exhaustive list of examples of such profiling activities, which include profiling an employee using:
- Keystroke loggers
- Productivity or attention monitors
- Video or audio recording or live streaming
- Facial or speech recognition or detection
- Automated emotion assessment
- Location trackers
- Speed trackers
- Web browsing, mobile application, or social media monitoring tools
Download our first-party data strategy guide
This guide will give you all the knowledge and tools necessary so that your business can take its first-party data strategy to a new level, so your brand isn’t left behind. Here’s what we cover:
- How you can master the art of obtaining valuable customer insights and building trust whilst navigating the complexities of data privacy regulations
- A detailed overview of the latest tools and technologies available to optimize your data collection strategy
- A step-by-step framework to integrate data collection practices into your organization
Profiling in a publicly accessible space
A business is covered by the CPPA’s regulations if it engages in “profiling a consumer in a publicly accessible place.”
The regulations define a “publicly accessible place” as “a place that is open to or serves the public.” The CPPA even provides some non-exhaustive examples of publicly accessible places, which include:
- Shopping malls
- Stores
- Restaurants
- Cafes
- Movie theaters
- Amusement parks
- Convention centers
- Stadiums
- Gymnasiums
- Hospitals
- Medical clinics or offices
- Transportation depots
- Transit
- Streets
- Parks
The regulations list the sorts of technologies that could be used for such profiling, which include:
- Wi-Fi or Bluetooth tracking
- Radiofrequency identification (RFI)
- Drones
- Video or audio recording or live streaming
- Facial or speech recognition or detection
- Automated emotion assessment
- Geofencing (targeting based on a person’s presence in a particular place)
- Location trackers
- License plate recognition
Additional board discussion points
All these rules are in draft, and they could change before the regulations are finalized. However, the final three items on the list of covered activities are presented as optional discussion points for the CPPA’s board.
The three covered activities presented as “discussion points” are as follows:
- Profiling a consumer for behavioral advertising.
- Profiling a consumer whom the business has actual knowledge is under 16.
- Processing the personal information of consumers to train ADMT.
Future drafts of the regulations might provide further details on the scope of these activities.
Are you in scope of the regulations?
The CPPA’s draft regulations list some relatively commonplace activities that constitute the use of ADMT, such as using productivity or time trackers to monitor employees, tracking location for behavioral advertising purposes, and vetting job applicants via AI software.
The “discussion points” tabled for future consideration include other activities conducted by many businesses, such as profiling consumers for behavioral advertising purposes and using personal information to train certain AI models.
If you’re covered by the regulations, you’ll have new obligations around transparency and consumer rights. We’ll look at how to meet those obligations in Part 2 of this three-part series.