2023 - Volume 2 - Summer - Flipbook - Page 13
businesses’ use of automated decisionmaking technology.” Id. at 1 (citing Civ. Code § 1798.185(a)(16)).
Specifically, the statute requires that these regulations
include “profiling and requiring businesses’ response
to access requests to include meaningful information
about the logic involved in those decisionmaking processes, as well as a description of the likely outcome
of the process with respect to the consumer.” Id. The
Agency also lists various specific topics that it is interested in—including the use of opt-outs and algorithmic
discrimination. Id. at 6-8.
-Artificial Intelligence: Continued from page 12-
Notice and Disclosure Obligations
A.B. 331 would require a deployer of an AI tool to
provide, “at or before” the time the tool is used, a notice to individuals that the tool is being used to make a
consequential decision. This notice must also explain
why and how the tool is specifically being used, as
well as a “plain language description” of the tool
which includes a description of human or automated
components that play a role in the decision-making
process.
The text of the CCPA, in conjunction with the substance of the questions posed by the Agency in its invitation to comment, hint at several features that can
be expected in the eventual regulations propounded by
the Agency. One of the most obvious features of any
CPPA regulation of AI is likely to involve an opt-out
requirement. Not only is this statutorily required by the
CCPA, but it is a common feature in other areas of data privacy. We can almost certainly expect new transparency requirements related to “meaningful information about the logic involved” in an AI decisionmaking process, “as well as a description of the
likely outcome of the process with respect to the consumer.” This may mean required disclosures of the
specific data used as an input into the AI tool and an
explanation of the outputs and how they are used to
make specific decisions. It is also possible this could
include required disclosures of data used to train or
develop an AI tool.
The bill also places on the deployer the requirement to add an “opt-out” mechanism, which would
allow—if “technically feasible”—an individual to
choose not to be subject to an automated decision tool
and instead utilize an “alternative selection or accommodation.”
Deployers are not the only ones with disclosure
obligations. The proposed law also would require developers of AI tools to make available a statement regarding the intended uses of the automated decision
tool. This disclosure specifically must include known
limitations and risks of algorithmic discrimination
created by the tool, a description of the data used to
train the tool, and a description of how the tool was
evaluated before sale or licensing.
Governance Requirements
While there are currently no privacy regulations
related to the use of AI, the CPPA’s proposed rulemaking indicates that the Agency has such regulations
on the agenda.
The bill also places a governance requirement on
developers and deployers. This governance program
must contain “reasonable administrative and technical
safeguards to map, measure, manage, and govern the
reasonably foreseeable risks of algorithmic discrimination” associated with the use of any AI tool.
Takeaway
As A.B. 331 and the CPPA’s proposed rulemaking
show, California privacy laws will inevitably cross
paths with the use of AI technology, adding another
risk that businesses should have on their radar as they
grapple with this emerging technology.
CPPA Rulemaking
The CPPA has engaged in a proposed rulemaking
also aimed at “automated decsionmaking.” Invitation
for Preliminary Comments on Proposed Rulemaking
Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. The Agency states that it invites
comments on its proposed rulemaking to better
“determin[e] the necessary scope of such regulations.”
Id. at 6.
CONCLUSION
Much ink already has been spilt about the benefits
of AI for businesses, but much less is written about the
risks. This article does not aim to cover every possible
risk, but instead aims to show businesses the range of
risks that this technology can create as a balance to its
undeniable benefits. Overall, only the leaders of a
In its proposed rulemaking, the Agency explains
that the CCPA directs the Agency to issue regulations
“governing access and opt-out rights with respect to
-Continued on page 15-
13
