Navigating the Future: California’s Draft Rule on Automated Decision-Making Technologies
California stands at the forefront of shaping data privacy regulations in the US, as evidenced in their new draft rule on Artificial Intelligence. In this article, I explore the key aspects of the proposed rule and delve into challenges that affected companies will face.
Understanding the Proposed Regulation
The proposed rule centers on Automated Decision Making Technologies (ADMT), defined as any technique that processes personal information and utilizes AI/ML to make or facilitate a decision. The rule establishes that consumers have the right to opt-out of uses of ADMT that have legal or significant effects on them, such as profiling, financial services, housing, insurance, education, criminal justice, employment, and healthcare services.
This proposed rule mirrors a prevalent trend in new data regulations, where a specific category (in this case, personal information) faces restrictions for one or more purposes (in this case, ADMT). Notably, this pattern aligns with the increasingly common structure found in regulations, consent frameworks, and business-to-business contracts (more on B2B contracts here).
Increased Transparency
A pivotal aspect of California’s proposed rule on ADMT is the mandate for businesses to provide users with a pre-use notice. This notice serves as a transparency mechanism, articulating the intended purposes for which ADMT will be employed and disclosing the specific categories of personal information processed. The draft rule explicitly addresses the inadequacy of common practices that use generic terms, such as “to improve the service.” Such generic terms are deemed insufficient as they fail to provide users with substantive information essential for making informed decisions.
Businesses are additionally required to offer a straightforward method, such as a layered notice or hyperlink, through which consumers can access even more specific information about the utilization of ADMT. For additional insights into how regulators are compelling transparency, refer to this article on the FTC’s Affirmative Express Consent Mandate. The article outlines various approaches, accompanied by a mockup illustrating what such a user interface might resemble.
Opt-Out Submission
The draft rule mandates that businesses must furnish consumers with a minimum of two designated methods for submitting opt-out requests, and both methods must be easily accessible and straightforward. Furthermore, one of these methods must align with the typical interaction channels employed by the business in its customer interactions. As an illustration, the draft rule specifies:
“A business that interacts with consumers online shall, at a minimum, allow consumers to submit requests to opt-out through an interactive form accessible via an opt-out link that is provided in the Pre-use Notice.”
Challenges in Implementing Opt-Out Requests
Unlike straightforward cookie opt-outs, where businesses can simply stop collecting cookies, the challenge with ADMT lies in collecting user data while ensuring it is not utilized for a specific purpose. This situation presents businesses relying on ADMT with two options:
- Bar all users who opt-out of ADMT from accessing that product or service
- Capture the user’s choice and subsequently segment their data to ensure it is not utilized for ADMT purposes
The first choice entails losing customers who opt-out of ADMT, directly impacting the user base and revenue potential. On the other hand, the second choice presents significant technical challenges. Choice two has two potential solutions, each of which present their own challenges. The first solution involves completely segmenting the data of California residents, and providing a dedicated instance of the product or service without ADMT. The second solution involves capturing the opt-out decision in a manner that stays with the user’s data as it moves across systems, gets aggregated, and undergoes repurposing over time. Subsequently, this choice demands the development of a policy enforcement framework to ensure that no ADMT activities can rely on the data of a user who has opted out. For further insights into the complexities of this process at scale, refer to this Facebook memo, which details the substantial engineering effort required (e.g., 450–750 engineering years) to complete such a project.
Swift Cessation of Data Use
Another significant challenge for businesses arises when a user, after initially opting in, decides to opt-out of ADMT after using the product or service. In this scenario, the rule imposes a stringent response requirement, compelling businesses to cease processing personal information through ADMT as promptly as feasible, with an absolute deadline of no later than 15 business days from receiving the request. Meeting this aggressive timeline necessitates a technical infrastructure capable of automating the process of halting ongoing procedures that have already started relying on ADMT.
The Need for Transparency
Demonstrating the effectiveness of segmentation to external entities, such as regulatory bodies or concerned consumers, is like unveiling the intricate gears within a complex machine. It goes beyond a mere assertion of functionality; it necessitates a transparent method to showcase that the system operates in alignment with opt-out preferences.
When compliance is ingrained with transparency from the outset, businesses mitigate regulatory risks because non-technical stakeholders can easily identify when their requirements aren’t met and prompt necessary adjustments. Additionally, in the event of regulatory scrutiny, there exists a clear and transparent means to prove that the business upholds a top-tier standard as a custodian of data. For examples of companies in 2023 that failed to incorporate transparency into their data handling and faced significant regulatory audit consequences, refer to this article.
Conclusion
California’s new draft ADMT rule exemplifies a prevailing trend where certain data categories are limited in use for specific purposes. This pattern is propelled by the increasing awareness of privacy among consumers and enterprises, alongside the evolving landscape of state, federal, and international regulations. These regulations necessitate a novel set of tools that shift the focus away from restricting what data is collected (e.g., cookies) to concentrating on how data can be used and shared in line with complex requirements at scale.
If navigating compliance with the new ADMT rule or any analogous regulation poses a challenge, we would love to talk: info@tranquildata.com.
