The California Privacy Protection Agency (CPPA) has published draft regulations about the use of “automated decision-making technology” (ADMT) under the California Consumer Privacy Act (CCPA).
In Parts 1 and 2 of the three-part series, we explained how the draft regulations would apply and explored the concept of the “pre-use notice”.
In Part 3, we look at the two new consumer rights proposed in the CPPA’s draft ADMT regulations: The “right to opt out” and the “right of access” to information about ADMT.
These requirements would require a substantial increase in transparency among many CCPA-covered businesses. But the regulations also present an opportunity to build customer trust and offer people more control over their personal information.
The right to opt-out
Under the CCPA, consumers can already opt out of the sale and sharing of their personal information and limit how businesses use their sensitive personal information in certain circumstances.
The CPPA’s draft ADMT regulations would extend the CCPA’s consumer rights by enabling consumers to opt out of certain uses of ADMT.
Designated opt-out methods
As with other CCPA rights, the draft ADMT regulations require that businesses establish at least two methods for submitting ADMT opt-out requests.
Designated methods may include:
- An interactive form, accessible via an opt-out link in the pre-use notice (mandatory for businesses operating online)
- An in-person method (if the business interacts with consumers in person)
- A toll-free phone number
- A designated email address
- A form submitted through the mail
A cookie banner isn’t enough in itself. ADMT opt-outs must be specific to ADMT, and not bundled with other opt-out methods.
Other opt-out requirements
The draft regulations propose some other rules and requirements concerning the right to opt out of ADMT:
- A business must provide a method that allows the consumer to confirm whether the business has stopped using ADMT with respect to the consumer
- A business must provide a way for consumers to submit a complaint about its use of ADMT
- If a request arrives after the business has started using ADMT with respect to the consumer, the business must:
- Stop using ADMT with respect to the consumer as soon as possible and within 15 business days
- Notify any service providers, contractors, or other persons to stop using ADMT with respect to the consumer
- A business can request the consumer’s consent to re-start using ADMT, but not within 12 months of the consumer opting out
Accessibility and form of opt-out methods
Under the draft regulations, opt-out methods must:
- Be easy for consumers to execute
- Require minimal steps for the consumer
- Comply with the CCPA’s accessibility rules
- Not require the consumer to create an account or submit unnecessary information
Businesses must not normally require a consumer to undergo an identity verification process to opt out of ADMT.
The exception is where the consumer would likely be negatively impacted if the business upheld a request submitted fraudulently on the consumer’s behalf.
As with other CCPA rights, a consumer can use an “authorized agent” to opt out on their behalf.
Exceptions to the opt-out rules
A business can deny a request to opt out if the business uses ADMT only for one or more of the purposes summarized below:
- Preventing, detecting, or investigating security incidents involving personal information
- Resisting malicious or illegal activities directed at the business
- Protecting consumers’ lives or safety
- Providing goods or services specifically requested by the consumer
The exceptions generally only apply if the business can show that there is no reasonable alternative to using ADMT.
A business can also deny a request to opt out of ADMT if there is a “reasonable and documented belief” that the request is fraudulent. The business must explain its reasoning to the consumer.