The California Privacy Protection Agency initiated a rulemaking process in 2021 to implement the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act. During this process, the Center for Democracy & Technology (CDT) has urged the Agency to craft its regulations to effectively protect sensitive data, establish data minimization and use/purpose limitations, and provide transparency and mitigate discriminatory outcomes in automated decision-making.
Most recently, the Agency invited comments to inform how it will implement provisions of the CCPA that require covered entities that process personal information to perform annual cybersecurity audits, submit risk assessments to the Agency on a regular basis, and provide consumers with access to information about and the ability to opt out of automated decision-making. CDT submitted comments focusing on automated decision-making and risk assessments, describing:
- Businesses and organizations’ automated decision-making practices throughout multiple sectors and resulting harms to consumers,
- Gaps in existing civil rights and consumer protection laws that prevent access to information and prevent consumers from opting out of automated decision-making,
- Access and opt-out rights and risk assessment requirements under U.S. law compared to the EU’s General Data Protection Regulation, and
- Recommendations for the scope and content of risk assessments and of responses to access requests for automated decision-making.
CDT’s comments also explain access and opt-out rights and risk assessments as they pertain to employment in particular. As of January 1, 2023, data that employers collect about workers is no longer exempt from the law – as a result, data used for employment decisions can be subject to the same privacy protections afforded to all California consumers. Therefore, properly scoped implementation of the CCPA is vital for all Californians.