LOGIN Request a call
Update Applicable to:  Effective date
All employers subject to the California Consumer Protection Act (CCPA)  See details

What happened?

On its December 8, 2023, Board meeting, the California Privacy Protection Agency (CPPA) has released draft Automated Decision-making Technology (AI) Regulations, as well as a revised draft for risk-assessment regulations.

What are the details?

These drafts were provided as part of the meeting materials for an update from the CPRA rules subcommittee, indicating the agency’s commitment to addressing privacy and Automated Decision-Making Technology (ADMT) matters.

Regarding Automated Decision-Making Technology (ADMT):

  • The CPPA offers an initial glimpse into the Agency’s deliberations regarding this new and substantial rulemaking subject. The draft follows similar restrictions like the one New York enacted for ADMT, reported also by Vensure here.
  • The draft regulations would apply to California residents, including consumers, employees, job applicants, and other individuals in the business-to-business or employment context, requiring employers that use these tools notify that an employment decision was based on the use of ADMT (e.g., denial of employment opportunity), and that they have a right to access information about how the technology was used or that they (including independent contractors) have the ability to opt out of profiling.
  • The draft regulations were published to facilitate public comment and will be discussed at the CPPA’s board meeting on December 8, along with previously released proposed regulations regarding cybersecurity audits and risk assessments.
  • These proposed regulations are subject to change before they are finalized.

Topics regarding the drafts are:

  1. Right to opt out (Exceptions apply)
  2. Notice
  3. Right to access
  4. Risk assessments
  5. Profiling
  6. Applicable Thresholds

Regarding Risk Assessment Regulations and Cyber Security Audits

The CPPA also proposed some revised rules for Risk Assessments and a new draft for Cyber Security Audits.

Risk Assessment Regulations topics focus on the following:

  1. Consultation with External parties regarding uses of ADMT/AI
  2. Periodic revisions and updates to policies
  3. Submission of reports
  4. Clarification of language

For Cyber Security Audits, the focus is the following topics:

  1. Threats and harms
  2. Applicability thresholds for data and non-data brokers
  3. Accounting for non-employee personnel
  4. Scope
  5. Reports regarding security incidents

Best practices

  • Consider carving out time to review the drafts and getting a heads up on what could possibly come from the CPPA in the next months.

Here are some additional resources:

Need help understanding how changes to employment laws will affect your business?

Learn more about how Vensure's California PEO services can help you navigate complex employment laws and keep your business compliant.


This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.

Amazing!

You're all set.

Thanks for subscribing. Be on the look out for the Legal HR updates in your email.

Tracking Convertion image