This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

California Releases Draft AI/Privacy Regulations

The privacy regulatory board in California has released a draft set of rules designed to allow customers to opt out of certain automated decision-making using their personal information. The rules would also require prior notice to consumers of automated decision-making using their personal information, and allow consumers to request access to data showing how their personal information has been used in automated decisions. The draft rules must go through a public comment period and are not expected to be finalized until some time in 2024.  

Why It Matters

California led the way for state-level consumer privacy legislation covering a comprehensive set of principles. It may be poised to do the same with certain aspects of AI that directly affect consumers. Crucially, it would allow consumers to opt out of the use of automated decision-making about them under certain circumstances, including in job performance evaluations, while they are in public places, and when a business is making a legal determination about the consumer. The opt-out right would also extend to employees dealing with their employers, for instance when employers use productivity tracking tools (e.g., keystroke loggers, location trackers, and other monitoring technologies) to benchmark performance.  

Employers could be faced with new compliance requirements for how they handle HR and employee data. These new AI rules also could affect the use of algorithmic or AI usage in many other areas. Other states do not yet regulate the privacy of HR/employee data, so it is possible that the impact of these rules will remain limited to California. It is also possible that other states will copycat the principles behind the California rules. Time will tell how broadly these requirements spread.  

According to a draft provided to the IAPP, the proposed rules are broken down into three major sections: how to provide notice of the technology's use, when and how opting out is allowed, and how consumers can access information used by the business. It also carves out key areas of discussion for the CPPA Board, including how businesses might approach profiling children under 16 and how consumer information can be used to train a given system.


data security and privacy, hill_mitzi, insights, employment, employment and labor lit