On December 8, 2023, the California Privacy Protection Agency (CPPA) Board discussed a draft of its forthcoming artificial intelligence (AI) regulations on automated decision making technology (ADMT). The proposed regulations, published earlier on November 27, 2023, would impose significant new requirements on businesses subject to the California Consumer Privacy Act (CCPA) that use ADMT for certain use cases. The ADMT draft rules are expected to be part of the Agency’s larger rulemaking package alongside rules governing cybersecurity audits and risk assessments under the CCPA, as amended by the California Privacy Rights Act. While the draft ADMT regulations currently have no legal effect and are likely to undergo further revision before formal rulemaking begins, the current draft nonetheless provides an important preview of the rigorous new compliance requirements that could later take effect. Notable items put forth for public discussion include:
An analysis of the posted draft and accompanying Board discussion is provided below.
Next Steps
As governments around the world scramble to regulate AI and without an omnibus federal legislation regulating privacy or AI in the U.S., states like California continue to loom as leading regulators in this emerging tech space. As a result, businesses that rely on ADMT to power their products and services should keep a close eye on this development as California could become a template for other states and agencies. The CPPA has stated that it plans to commence formal rulemaking in 2024, at which point companies doing business in California are strongly encouraged to submit public comments to the CPPA regarding the impact of the regulations on their operations. Until then, the proposal is likely to undergo more revisions as the CPPA Board continues to tinker with issues around definitions, scope, and future proofing.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA compliance efforts, or if you are interested in filing public comments related to this rulemaking, please contact Tracy Shapiro, Eddie Holman, Doo Lee, or any member of the firm’s privacy and cybersecurity practice.