Skip to main content
close search
site logo

Businesses face automated decisionmaking disclosures under proposed California regulations

Companies using automated technology to make decisions would have to provide consumers with a variety of information about their activities and allow for opt-outs.

Published Nov. 28, 2023
Lyle Moran's headshot
Lyle Moran Reporter
An automation software technology process concept
An automation software technology process concept jittawit.21 via Getty Images

Businesses would be required to provide consumers with detailed information about their plans to use automated decisionmaking technology under draft California regulations released this week. 

Organizations would also have to provide consumers with the ability to opt out of their use of such automated technologies that are often powered by AI.

The draft regulations define automated decisionmaking technology as any system, software, or process “that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.”

Businesses have been reported to use automated technology to assist with decisions in employment, housing and banking contexts, among others.

The proposed automated decisionmaking regulations were released Monday by the California Privacy Protection Agency and will be reviewed by the agency’s board at its Dec. 8 meeting. Formal rulemaking is expected to begin next year, the agency said.

“These draft regulations support the responsible use of automated decisionmaking while providing appropriate guardrails with respect to privacy, including employees’ and children’s privacy,” said Vinhcent Le, a California privacy agency board member, in a press release.

Notices

The regulations would require businesses to provide “Pre-use Notices” to let consumers know how the business proposes to utilize so-called ADMT.

The explanation of the purpose for which the business wants to use the technology must be specific rather than generic and use plain language.

The notices should also contain an easy method by which a consumer can obtain additional information about the business’ use of ADMT.

The extra information should include the logic used in the technology and the intended output. A business must describe how it plans to use the output to make a decision, including the role of any human involvement.

Additionally, a business must highlight whether its use of ADMT “has been evaluated for validity, reliability, and fairness, and the outcome of any such evaluation.”

Opt-outs

Consumers can review the information provided by businesses to decide whether to opt out of the use of ADMT.

The draft regulations list three types of ADMT uses for which a business must provide consumers with the ability to opt out.

The first is for a decision “that produces legal or similarly significant effects concerning a consumer.”

These decisions are ones that result in “access to, or the provision or denial of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.”

The second ADMT use listed in that section is profiling a consumer “who is acting in their capacity as an employee, independent contractor, job applicant, or student.”

The draft regulations define profiling as any form of automated processing of personal information to evaluate certain personal aspects, including to analyze or predict aspects concerning a person’s performance at work.

Businesses also must provide consumers with the ability to opt out of using ADMT to profile them while they are in a publicly accessible place using Wi-Fi or Bluetooth tracking, among other technology.

There are three other options provided for board discussion, including providing an opportunity to opt out of ​​profiling a consumer for behavioral advertising or profiling a consumer the business knows is under the age of 16.

Employer impact

David Stauss, a Husch Blackwell partner, highlighted in a blog post that the proposed regulations apply to the automated processing of some types of employee information such as keystroke loggers, productivity or attention monitors and web-browsing. 

“Businesses with California employees would need to take a close look at their employee data collection activities to ensure compliance,” Stauss wrote on the Byte Back blog.

He also said that allowing employees to opt out of their employers’ use of ADMT for profiling is notable.

Opt-out exceptions

The regulations lay out several uses of ADMT for which businesses are not required to provide consumers with an ability to opt-out. 

The exceptions include using the technology “to prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information.”

Other exceptions are using ADMT “to protect the life and physical safety of consumers” and “to provide the good or perform the service specifically requested by the consumer.”

Additionally, the technology can be used without an opt-out option “to resist malicious, deceptive, fraudulent, or illegal actions directed at the business.”

Information requests

As part of consumers’ rights to access, businesses would be required to provide various information to consumers about the use of ADMT for processing activities.

This includes a mandate to let consumers know if a business has made a decision that results in the denial of goods or services as set forth in the regulations. This could include denying an employment opportunity or lowering an employee’s compensation.

Businesses would need to detail how they used the output from automated technology to make a decision with respect to the consumer and any factors other than the output that the business used to make the decision, among other information.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release

Want to share a company announcement with your peers?

Share your announcement

Editors' picks
Latest in Compliance
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.