Gibson Dunn Submits Comment on Proposed Automated Decisionmaking Technology Regulations in California
Client Alert | March 17, 2025
Gibson Dunn lawyers will closely monitor these rules as the rulemaking process proceeds, and we stand ready to advise clients through the rule making procedure and on how to comply with final rules should they come into effect.
On February 19, 2025, Gibson Dunn submitted a comment to the California Privacy Protection Agency regarding its proposed regulations on automated decisionmaking technology (ADMT), risk assessments, and cybersecurity audits. Along with others, including industry groups, companies, and legislators, Gibson Dunn highlighted some of the most troubling aspects of the proposed regulations, which, as drafted, would impede innovation and impose unprecedented burdens on businesses, all without commensurate benefits to the privacy or security of Californians. A copy of Gibson Dunn’s comment can be found here.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), narrowly directed the California Privacy Protection Agency (CPPA) to issue regulations “governing access and opt-out rights with respect to business’ use of automated decisionmaking technology” and requiring businesses to perform cybersecurity audits and risk assessments when the “processing of consumers’ personal information presents a significant risk to consumers’ privacy or security.” The proposed regulations, however, go far beyond this grant of authority and, if enacted as drafted, would require businesses to comply with a range of obligations that do not advance privacy or security. Key issues with the proposed regulations include:
- An overbroad definition of ADMT. The proposed regulations define ADMT to include “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” As Gibson Dunn explains in our comment letter, this broad definition would sweep in technology that merely “executes” or “substantially facilitates” human decisionmaking, which significantly exceeds the plain language definition of “automated” This overbroad definition could potentially subject a tremendous range of ordinary business activities to these regulations, which is why we have urged the CPPA to narrow the scope of its definition.
- Overbroad definition of“significant decisions” as the trigger for key obligations. The trigger for many of the obligations in the proposed regulations is the use of ADMT in connection with a “significant decision.” The draft rules define “significant decision” broadly and in a manner that is unrelated to the privacy and security considerations undergirding the CCPA. This conflicts with the animating purpose of the CCPA to protect privacy and security, and attempts to leverage the narrow mandate to regulate those risks in the context of ADMT to instead regulate socially important activities generally.
- Limitations on first-party advertising. The proposed regulations would also upend the rules governing first-party advertising. In particular, the CPPA’s proposal would require businesses to give consumers opt-out rights when businesses use ADMT to profile consumers for “behavioral advertising” within the business’s own distinctly-branded websites, applications, or services, even though the CCPA specifically excluded such first-party advertising from those opt-out requirements. Our comment urges the CPPA to strike provisions related to “behavioral advertising” from the proposed regulations.
- A “pre-use notice” for ADMT. The proposed regulations would require businesses to provide consumers with a burdensome, “prominent and conspicuous” “pre-use notice” for ADMT detailing information about the opt out right and any exceptions; how the ADMT works (including its “logic,” “key parameters,” and “intended output”); and the role of humans in the decision. Again, the CCPA does not actually authorize pre-use notices. Rather, it only provides for access and opt-out rights.
- Detailed information in pre-use notices and access requests. Not only do the proposed regulations require the dense information outlined above for pre-use notice to be described in “plain language”, but the rules also require individualized responses that detail how ADMT has been used with respect to that consumer. This requirement fails to acknowledge the challenges of translating complex models into a form understandable by ordinary consumers, and creates a substantial risk of misleading disclosures, since these models are constantly changing and vary in their application to individuals.
- Onerous risk assessments. The CPPA has also used its statutory authority to propose regulations requiring risk assessments for data processing that poses “risks to privacy” to construct a regime that requires businesses to opine on a range of issues unrelated to privacy. For example, the draft regulations require businesses to comment on the “completeness, representativeness, timeliness, validity, accuracy, consistency, and reliability” of their information sources and the “logic” of certain algorithms. The CPPA has not explained how these factors relate to privacy, which is the stated purpose of the risk assessments.
- Rigid cybersecurity audits. The cybersecurity audits required by the proposed regulations are also problematic. The draft regulations contain a detailed checklist with dozens of requirements, and do not permit businesses to use audits conducted in compliance with other accepted standards. This approach would lead to substantial compliance costs for businesses without materially improving the safety or security of consumers.
- Inconsistent rules on “physical or biological identification or profiling.” The proposed regulations require businesses that use “physical or biological identification or profiling” for a “significant decision” or “extensive profiling” to conduct evaluations and implement policies, procedures, and training to ensure accuracy and nondiscrimination. The CCPA, however, does not authorize regulation of “identification” and the proposed regulations also conflict with other statutory provisions. For example, the CCPA permits businesses to use sensitive personal information, including biometrics, to improve the services they offer without offering an opt-out right to consumers. The proposed regulations would create a contradictory right to opt-out of the use of biometric information to improve a business’s algorithm..
Gibson Dunn’s comment letter discusses these and other issues, urging the CPPA to revise the proposed regulations to focus on the privacy and security issues that animated the CCPA and CPRA. Gibson Dunn lawyers will closely monitor these rules as the rulemaking process proceeds, and we stand ready to advise clients through the rule making procedure and on how to comply with final rules should they come into effect.
Please click on the link below to view Gibson Dunn’s comment:
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Artificial Intelligence or Privacy, Cybersecurity & Data Innovation practice groups:
United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)
Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.