California's draft 'ADMT' regulations (2/3): Pre-use notice

The California Privacy Protection Agency (CPPA) has published draft regulations about the use of “automated decision-making technology” (ADMT) under the California Consumer Privacy Act (CCPA).

In Part 1 of the three-part series, we explained how the draft regulations would apply. The CPPA envisions a broad and expansive set of rules that will affect many businesses using AI to make decisions about consumers.

In Part 2, we explore one of the three main obligations the CPPA hopes to impose on businesses using ADMT: The “pre-use notice”.

What is a pre-use notice?

The pre-use notice is similar to the “notice at collection” under the CCPA. It’s a just-in-time notice that provides information about the business’s intended use of personal information. The pre-use notice must also contain a link to a more extensive notice.

But creating a pre-use notice could be a pretty complicated process compared to the relatively simple process of writing up a CCPA notice at collection.

When is a pre-use notice required?

Under the draft regulations, a business must provide a pre-use notice if it conducts any of the activities listed in Section 7030 (b) of the draft ADMT regulations.

These activities include using ADMT to make decisions with “legal or similarly significant effects”, profiling employees, and profiling consumers in public places.

For more detail on the scope of the draft ADMT regulations, see Part 1 of this three-part series.

How must a pre-use notice be presented to consumers?

The CPPA’s regulations require that a pre-use notice is easy to access and understand. A pre-use notice must:

• Comply with Section 7003​​ of the 2023 CCPA Regulations, which sets out the requirements for communications to consumers (briefly, all consumer-facing communications must be accessible, including to consumers with disabilities)
• Be made “readily available where consumers will encounter it”
• Be provided in the manner that the business primarily interacts with the consumer before the business uses ADMT in respect of the consumer

What must a pre-use notice include?

A pre-use notice must include the following:

• A “plain language explanation” of the business’s purposes for using ADMT. The CPPA notes that generic phrases such as “to improve our services” are too broad
• A description of the right to opt out of ADMT and an explanation of how to submit a request (we’ll look at the right to opt out in Part 3 of this series). If the business is exempt from the opt-out requirements, it must explain why
• A description of the right of access to information about how the business uses ADMT and an explanation of how to submit a request (we’ll look at the right of access in Part 3 of this series)
• A simple and easy-to-use method (such as a link) via which the consumer can receive additional information about the ADMT.

What ‘additional information’ must a business provide?

As noted in the final point of the above list, a pre-use notice must contain a link (or other method) to a separate notice providing additional information about the business’s use of ADMT.

The additional information must include a “plain language explanation” of the following:

• The logic used in the ADMT, including key parameters affecting its output and the reasons these parameters are key​​
• The intended output (such as “a numeric score of compatibility”)
• How the business plans to use the output to make a decision, including the role of any human involvement
• Whether the business’s use of the technology has been evaluated for validity, reliability, and fairness, and the outcome of any such evaluation​​.

Note that the business is not obliged to evaluate its ADMT for fairness, etc., – only to disclose whether such an evaluation has been made – and, if so, disclose the outcome of the evaluation.

This longer notice should not be confused with the information that a business must provide under the new “right of access”, which we’ll explore in Part 3 of this series.