California’s state privacy regulator on Monday proposed new rules which would give residents more control over how their data can be used for artificial intelligence-driven advertising technology, as well as automated profiling or tracking.
The regulator, known as the California Privacy Protection Agency (CPPA), says it hopes to finalize the new regulations governing how businesses use automated decision-making technologies (ADMT) by next year.
The proposed regulations include provisions giving consumers the right to be notified before their data is used for ADMT and to opt out from its use if they choose to.
The draft rules are also a preview for how artificial intelligence processing will be treated under California’s landmark consumer privacy act, which took effect in 2020.
CPPA officials pointed to the proposed rules as just the latest example of the state’s trailblazing work regulating privacy.
In September, California enacted unprecedented legislation giving state residents the right to force data brokers to delete their personal information with a single keystroke. Similar legislation died in a previous session of Congress but was reintroduced this year.
“Once again, California is taking the lead to support privacy-protective innovation in the use of emerging technologies, including those that leverage artificial intelligence,” Vinhcent Le, a member of the CPPA’s New Rules Subcommittee, which drafted the proposed regulations, said in a statement.
The draft rules include requirements for businesses using ADMT in the following ways:
CPPA’s proposed rules also include new protections to limit how consumers’ personal data can be exploited to train ADMT models.
In its announcement of the proposed rules, CPPA said that they will require businesses to provide “Pre-use Notices” to tell consumers how they plan to use ADMT and allow them to opt out. Consumers also would be given the ability to “access more information about how the business used ADMT to make a decision about the consumer,” CPPA said in a news release.
The CPPA’s effort appears to be inspired by European Union rules known as the General Data Protection Regulation (GDPR), which gives consumers the ability to influence automated decisions which could significantly impact them.
It also seems to be inspired by Europe’s Artificial Intelligence Act (AI Act), which was proposed by the European Commission in April of 2021 and seeks to lay the groundwork for a shared regulatory and legal framework for artificial intelligence. That legislation is still under debate in Europe and appears to be stalled.
The CPPA’s proposed rules are an initial draft and businesses will be given the chance to weigh in in the coming months.
The CPPA said its board will “provide feedback” on the proposed rules at a December 8 board meeting with the agency planning to begin the formal rulemaking process next year.
Get more insights with the
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.