Decisions, decisions. We are deluged by decisions. What present should I buy? Is the small cheese plate enough for my party guests, or should I go with the large? How much of my bonus should I set aside for retirement this year, or should I up my charitable giving?
Wouldn’t it be nice if we could all get a little technological assistance in making choices this holiday season?
Or maybe not—it’s one thing to estimate the amount of cheese, but do I want technology telling me how much to save? And how much information does an algorithm need to pick the perfect gift? Also, what if the decisions are being made about me instead of the other way around—can a computer decide if I will receive that bonus in the first place?
State privacy law will have something to say on the subject heading into the new year. Comprehensive privacy laws are now in force in four states—California, Colorado, Connecticut and Virginia—and each of these laws includes rules around “automated decisionmaking” or “profiling” technologies. A fifth state law in Utah will go into operation on December 31, 2023. It is the only comprehensive privacy law that does not currently include requirements around automated decision-making, but it does include standard rights around access and deletion that will still impact such technologies. Comprehensive privacy laws will also go into effect in at least seven other states in the next three years, all of them having some form of the right to opt out of automated decisionmaking.
Rocky Mountain Way
First up is Colorado, which finalized regulations around automated decisionmaking in March 2023 (the “Colorado Regulations”). The Colorado Privacy Act (“CPA”) gives consumers the right to opt out of “Profiling” in furtherance of “Decisions That Produce Legal or Similarly Significant Effects” concerning a consumer. To apply, the process must include an evaluative or predictive element. “Profiling” means automated processing of personal information to “evaluate, analyze or predict aspects concerning an individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” For example, the processing could use location data to predict subsequent consumer behavior, provided that the prediction furthers a “Decision That Produce[s] Legal or Similarly Significant Effects.”
“Decisions That Produce Legal or Similarly Significant Effects” are decisions around financial or lending services, housing, insurance, educational enrollment, criminal justice, employment opportunities, health care services or access to essential goods or services. To take one example, the decisions would include hiring, firing or promotion (i.e., employment opportunities), but should not include more routine employment-related activities such as attendance monitoring.
If the decision has such effects, the Colorado law provides for an ability to opt out. Once that opt-out election is made, the Colorado Regulations state that the business may not engage in the profiling unless the consumer subsequently opts back in (the business obtains opt-in consent). Additionally, prior to conducting the profiling, the business must conduct a data protection assessment to determine whether the risks of the processing outweigh the benefits of the processing and make required disclosures.
The opt-out is further cabined by the amount of human involvement in the ecisionmaking. The Colorado Regulations clarify that the right to opt out must only be honored with respect to automated decisions made without meaningful human involvement. Accordingly, if a human engages in meaningful consideration of available data used in the processing or any output of the processing and has the authority to change or influence the outcome of the decision, then a business can deny the opt-out request—provided that it supplies additional information to the consumer about how the decision was made. That means that although individuals are entitled to receive disclosures about human-involved profiling with legal or similarly significant effects, they cannot automatically require that a business stop conducting the processing. That is in contrast to the more expansive draft regulations currently under consideration in California.
The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), requires the California Privacy Protection Agency (“CPPA”) to adopt regulations around automated processing. Currently in the pre-rulemaking process, we expect those regulations to become final sometime in 2024 but to undergo further development in the interim. As currently drafted, the regulations would establish some of the broadest rules in the country around so-called automated decisionmaking—so-called because the current draft definition of “automated decisionmaking technology” is so broad that it would apply to computational technologies that merely facilitate human decisionmaking, not just technologies that actually make decisions. In other words, if you use a calculator to make choices about California residents, the California rules could provide those residents the right to opt out of the processing. Pull out your pen and paper.
The draft California rules would only apply to certain categories of decisions, but even those categories are quite broad. They include profiling of California residents acting as an employee, independent contractor, job applicant or student, profiling a California resident while they are in a publicly accessible place, profiling a consumer for behavioral advertising, profiling a consumer that the business has actual knowledge is under the age of 16, processing personal information to train artificial intelligence or other automated technologies, and making other decisions that have legal or similarly significant effects. As in Colorado, “profiling” means any form of automated processing of personal information to evaluate personal aspects relating to the person, such as their performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements. Unlike in Colorado, for opt-out rights to apply, decisions involving profiling would not be required to have legal or similarly significant effects.
Additionally, decisions that do have legal or similarly significant effects are subject to opt-out rights whether or not they involve profiling. Use of a computational technology alone (i.e., use of a calculator or Microsoft Excel) would be sufficient with or without profiling if the decision being made has a significant effect. That could open the door for a wide range of abuses by individuals to delay some decisionmaking. Do you want to delay a negative employment outcome? Require the business to reach it without the use of a computer.
The draft California rules do contain exceptions for fraud detection, cybersecurity, and actions to protect the life and physical safety of California residents (notably, not residents of other states, although this is likely due to poor drafting). Businesses are also not required to provide the right to opt out where the consumer requests the offered goods or services, but only if there is no reasonable alternative method of processing taking into account factors such as whether there is an alternative method of processing that is or has been used in the business’s industry. Did clerks in the time of Charles Dickens process loan applications using parchment and quill pens? That could be a factor in whether your business is permitted to use technological means to make decisions today.
With that said, the California rule is so broad as drafted that even the board of the CPPA has blanched. At its December 8, 2023 board meeting, board members discussed the potentially wide reach of the definition of “automated decisionmaking” and sent the draft back to staff for further consideration and refinement. It was acknowledged that some of the definitions were overbroad as drafted. Alastair McTaggart, a CPPA board member and the founder of Californians for Consumer Privacy (sponsor of the ballot initiatives leading to adoption of both the CCPA and CPRA), noted that the draft rules could intrude on routine employment tracking and decisionmaking. We expect to see further revisions. Given the breadth of the rules to date, though, it remains likely that the final drafts will apply to a broad range of technologies.
Nutmeg, Dogwood and Other State Privacy Laws
Similar to Colorado, the Connecticut Data Privacy Act (“CDPA”) and Virginia Consumer Data Protection Act (“VCDPA”) both require that businesses provide an opt-out for profiling that will have legal or similarly significant effects concerning a state resident. Unlike Colorado, both laws do not provide for implementing regulations, and so, as a result, we do not have regulations to turn to for regulatory guidance. We will closely monitor for enforcement in the coming year.
The Utah Consumer Privacy Act (“UCPA”), meanwhile, will go into effect in less than a month on December 31, 2023. Alone of the 12 states that have currently adopted a form of comprehensive privacy law, the UCPA does not specifically address automated decisionmaking. As with other comprehensive privacy laws, however, the UCPA does contain rights to access and delete data, which could be used to learn about and limit the use of personal information in automated decisions.
Each of the other seven states do include rights around automated decisions. Next up is Texas, which includes a right to opt out of “profiling,” like Colorado, Connecticut and Virginia. As defined in the Texas statute, however, “profiling” involves “solely” automated processing, rather than some combination of human and automated analysis. Texas does not use the phrase “legal or similarly significant effects,” opting instead to limit the right to decisions involving a foreseeable risk of unfair or deceptive treatment of consumers, financial, physical, or reputational injury, intrusions on seclusion or other substantial injuries.
Ropes & Gray will continue to monitor developments around state privacy laws and automated decisionmaking in the coming year.
 The definition of “profiling” is arguably narrower under the CDPA and VCDPA. It applies to “automated processing performed on” personal information rather than any “automated processing of” personal information, as defined under the CPA and the draft California regulations. The use of “performed on” suggests more active use of the technology than the passive form used in the Colorado statute and California regulations.
 California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Florida and Nevada have also adopted privacy laws that are sometimes referred to as “comprehensive,” but are not addressed here given their more limited scope.