This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 2 minutes read

California Releases Updated Draft Regulations on Artificial Intelligence (AI) and Automated Decision-Making Technology (ADMT)

On February 23, 2024, the California Privacy Protection Agency (CPPA) released updated draft regulations on the use of AI and ADMT. The key changes include:

  1. New and updated definitions, 
  2. Increased scope for activities requiring opt-outs and risk assessments,
  3. Added obligations for companies that are using physical or biological identification or profiling, and
  4. An option for businesses to offer human review in lieu of an opt-out of ADMT. 

The CPPA narrowed the definition of what would be considered ADMT. Clarifying that it would only apply to automated technologies that execute a decision, replace human decision-making, or substantially facilitate human decision-making. They also specified what would not be considered ADMT, including web hosting, domain registration, networking, robocall filtering, firewalls, etc.1

While they narrowed the scope of ADMT, the CPPA expanded the scope of profiling. The proposed updates would now also include any automated processing that analyzes or predicts aspects of a person’s intelligence, ability, aptitude, mental health, or predispositions. The new, comprehensive definition of profiling would be “any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s intelligence, ability, aptitude, performance at work, economic situation; health, including mental health; personal preferences, interests, reliability, predispositions, behavior, location, or movements.” 2

The updated definition of “Behavioral Advertising” includes the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity both across businesses, distinctly branded websites, applications, or services, and within the business’s own distinctly branded websites, applications, or services. Given that the definition of ADMT includes profiling, this means that companies that create customer profiles (even if those profiles are only created based on information that the company collected directly from the customer) will be required to:

  1. Disclose the profiling to customers beforehand,
  2. Allow customers to request the details of how their personal information is being processed,3
  3. Allow customers to opt out of that profiling, and
  4. Conduct a risk assessment on that profiling activity.

Some other key updates include increased obligations for businesses engaging in “physical or biological identification or profiling,” which is defined as using any physical or biological information to analyze or predict a person’s performance, behavior, whereabouts, etc. 

Businesses engaging in this sort of identification or profiling must:

  1. Validate that that profiling does not discriminate against any protected classes, 
  2. Implement accuracy and nondiscrimination safeguards.4

Another change is the addition of a “Human Appeal Exception,” which allows businesses to offer consumers the right to defer an automated decision to a human in specific instances, instead of providing them with the option to opt-out from the ADMT outright.5

If these updated regulations are passed, the key takeaways are that businesses engaging in behavioral advertising, profiling, AI, and ADMT as defined should be prepared to disclose these activities to impacted individuals, provide an opt-out option for these activities, and conduct and document risk assessments.



2. Ibid

3. A New Landmark for Consumer Control Over Their Personal Information: CPPA Proposes Regulatory Framework for Automated Decisionmaking Technology,

5. Ibid

© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


article, compliance, cybersecurity & data privacy, data & technology, data privacy & cyber risk, risk & compliance

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with