California Releases Draft of Regulations Covering AI Use

December 18, 2023

The California Privacy Protection Agency (CPPA) recently revealed a draft of new regulations. This draft cites new protections for consumers, applicants, and employees. These proposed rules would regulate how businesses use automated decision-making technology.

According to the proposal, employers must provide a pre-use notice to applicants and employees applying for a job. It must supply access information concerning the employer’s use of automated decision-making technology. It should also include the applicant’s or employee’s right to opt out. 

The Draft

In some situations, the rules would require businesses to conduct risk assessments. The company must also provide an easy method to learn more about the company’s automated decision-making technology. The draft explains that companies must include the following information:

  • “The logic used in the automated decision-making technology, including the key parameters that affect the output of the automated decision-making technology. The business shall explain why these parameters are key;
  • The intended output of the automated decision-making technology (e.g., a numerical score of compatibility);
  • How the business plans to use the output to make a decision, including the role of any human involvement and 
  • Whether the business’s use of the automated technology has been evaluated for validity, reliability, and fairness, and the outcome of any such evaluation.”

The regulations require businesses to allow applicants and employees to opt out. However, this requirement applies if the employer would use the automated tool “For a decision that produces legal or similarly significant effects concerning a consumer.” The draft also provided exceptions to the new regulations. Such exceptions include:

  • “To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information;
  • To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions;
  • To protect the life and physical safety of consumers; or
  • To provide the good or perform the service requested explicitly by the consumer,” and there is no other reasonable way to provide the service. (There is a rebuttable presumption that an appropriate alternative delivery method exists.)

Those Covered

The regulations would also cover several employee-facing technologies. These include productivity monitors, face or speech detection or recognition, and location trackers. Other examples include keystroke loggers, social media monitoring tools, and video or audio recording.

Other regulations would require businesses to provide consumers two or more methods to submit opt-out requests. They must also define the primary means of communication between the company and customers. The company must explain that consumers can use the automated tools in this communication. 

As such, it must be clear that the consumers may opt out of all use of the tools. Businesses that receive an opt-out request must comply immediately. They may ask the consumer about using the automated tools after 12 months of receiving the opt-out request.

The changes are still a draft, meaning the details still require finalizing. As such, employers have time to evaluate and revise their hiring policies. One way to ensure future and current compliance is by working with a trustworthy background screening company. The right partner will use their experience to ensure your company complies with all relevant regulations.

Keep your business up to date on new laws and regulations with JDP’s free news resources. Keep your business compliant with new laws and regulations with Pre-employ’s reliable background checks. Contact a sales rep today.