California's draft 'ADMT' regulations (3/3): New consumer rights
Posted: December 22, 2023
The California Privacy Protection Agency (CPPA) has published draft regulations about the use of “automated decision-making technology” (ADMT) under the California Consumer Privacy Act (CCPA).
In Parts 1 and 2 of the three-part series, we explained how the draft regulations would apply and explored the concept of the “pre-use notice”.
In Part 3, we look at the two new consumer rights proposed in the CPPA’s draft ADMT regulations: The “right to opt out” and the “right of access” to information about ADMT.
These requirements would require a substantial increase in transparency among many CCPA-covered businesses. But the regulations also present an opportunity to build customer trust and offer people more control over their personal information.
The right to opt-out
Under the CCPA, consumers can already opt out of the sale and sharing of their personal information and limit how businesses use their sensitive personal information in certain circumstances.
The CPPA’s draft ADMT regulations would extend the CCPA’s consumer rights by enabling consumers to opt out of certain uses of ADMT.
Designated opt-out methods
As with other CCPA rights, the draft ADMT regulations require that businesses establish at least two methods for submitting ADMT opt-out requests.
Designated methods may include:
- An interactive form, accessible via an opt-out link in the pre-use notice (mandatory for businesses operating online)
- An in-person method (if the business interacts with consumers in person)
- A toll-free phone number
- A designated email address
- A form submitted through the mail
A cookie banner isn’t enough in itself. ADMT opt-outs must be specific to ADMT, and not bundled with other opt-out methods.
Other opt-out requirements
The draft regulations propose some other rules and requirements concerning the right to opt out of ADMT:
- A business must provide a method that allows the consumer to confirm whether the business has stopped using ADMT with respect to the consumer
- A business must provide a way for consumers to submit a complaint about its use of ADMT
- If a request arrives after the business has started using ADMT with respect to the consumer, the business must:
- Stop using ADMT with respect to the consumer as soon as possible and within 15 business days
- Notify any service providers, contractors, or other persons to stop using ADMT with respect to the consumer
- A business can request the consumer’s consent to re-start using ADMT, but not within 12 months of the consumer opting out
Accessibility and form of opt-out methods
Under the draft regulations, opt-out methods must:
- Be easy for consumers to execute
- Require minimal steps for the consumer
- Comply with the CCPA’s accessibility rules
- Not require the consumer to create an account or submit unnecessary information
Businesses must not normally require a consumer to undergo an identity verification process to opt out of ADMT.
The exception is where the consumer would likely be negatively impacted if the business upheld a request submitted fraudulently on the consumer’s behalf.
As with other CCPA rights, a consumer can use an “authorized agent” to opt out on their behalf.
Exceptions to the opt-out rules
A business can deny a request to opt out if the business uses ADMT only for one or more of the purposes summarized below:
- Preventing, detecting, or investigating security incidents involving personal information
- Resisting malicious or illegal activities directed at the business
- Protecting consumers’ lives or safety
- Providing goods or services specifically requested by the consumer
The exceptions generally only apply if the business can show that there is no reasonable alternative to using ADMT.
A business can also deny a request to opt out of ADMT if there is a “reasonable and documented belief” that the request is fraudulent. The business must explain its reasoning to the consumer.
Download our first-party data strategy guide
This guide will give you all the knowledge and tools necessary so that your business can take its first-party data strategy to a new level, so your brand isn’t left behind. Here’s what we cover:
- How you can master the art of obtaining valuable customer insights and building trust whilst navigating the complexities of data privacy regulations
- A detailed overview of the latest tools and technologies available to optimize your data collection strategy
- A step-by-step framework to integrate data collection practices into your organization
The right to access information about ADMT
The draft regulations would introduce a new right to access information about the business’s use of ADMT (the “right of access”).
The right of access requires a business to disclose extensive information about its use of ADMT on request. In some circumstances, the business must proactively provide information to a consumer, with no need for the consumer to make a request.
The right of access is separate from the CPPA’s proposed “pre-use notice”, which we explored in Part 2 of this series.
Information to provide in response to an access request
Consumers will exercise their right of access in the same ways as with other CCPA rights, and the same basic rules about deadlines and accessibility apply.
Here’s a summary of what businesses must disclose in response to an ADMT access request:
- The purpose of the ADMT explained in non-generic terms
- The output of the ADMT with respect to the consumer
- How the output was used to make a decision about the consumer, including:
- What decision was made,
- Any factors other than the output that were used in the decision,
- The role of any human involvement,
- Whether the technology has been evaluated for validity, reliability, and fairness, and the outcome of any such evaluation
- How the business intends to use the output for future decisions (if relevant), including all the information listed in the point above with respect to any future decisions
- How the ADMT worked with respect to the consumer, including:
- How the logic was applied to the consumer,
- The key parameters that affected the output.
- A method for the consumer to obtain the range of possible outputs, which may include aggregate statistics about the most common outputs
- Instructions for how the consumer can exercise their other CCPA rights (which may be a link to the relevant section in the business’s privacy policy)
- How to make a complaint about the business’s use of ADMT, including to the CPPA and the California Attorney General
A business must apply reasonable security measures when sharing the requested information with the consumer and must assist the consumer in making the request.
Denying goods or services
If a business uses ADMT to deny goods or services to a consumer, the business must proactively notify the consumer about the decision.
The notification must:
- Explain the decision
- Describe the “right of access” and how to exercise it
- Explain how to file a complaint with the CPPA and the Attorney General
Rejecting a request
Unlike under “the right to opt out,” a business must verify a consumer’s identity before responding to a request under the right of access.
If a business can’t verify a consumer’s identity, it must explain this to the consumer and must only disclose information about the purposes of its use of ADMT.
If a business denies a consumer’s verified access request for other reasons, such as a conflict with other laws or an exception to the CCPA, the business must explain this to the consumer (unless prohibited by law).
If a business falls under an exception to the “right to opt out” (explained above), the business does not need to disclose any information under the “right of access” request—if doing so would “compromise its processing of personal information for those purposes”.