The California Privacy Protection Agency is pushing ahead with AI regulation. It has decided to update the California Consumer Privacy Act (CCPA). The CCPA is specifically designed to give Californian consumers more control over their personal data. In view of the increasing importance and use of AI systems in various areas, the CCPA will be expanded to include the corresponding regulations. The impact of AI regulations on companies.
Important provisions of the CCPA
The CCPA regulates in detail how companies must handle personal data. The most important provisions include:
- Information obligations and transparency:
When collecting data, companies must clearly inform consumers about what data is being collected and for what purpose. - Opt-out and opt-in rights:
Consumers have the right to object to the sale or sharing of their data (opt-out). Companies must provide a clearly visible "Do Not Sell or Share My Personal Information" link on their websites that allows consumers to object immediately. - Right to deletion and correction:
Consumers can request the deletion or correction of their data if it is incorrect or incomplete. - Protection of sensitive personal data:
Companies may only use sensitive data to the extent necessary for the provision of services and must obtain consent if it is to be used for other purposes.
Article 9 (cybersecurity audits) and Article 10 (risk assessments) are to be newly added,
Article 11 (Automated Decision-Making Technology) and Article 12 (Insurance Companies). The California Privacy Protection Agency intends to incorporate the new articles into the California Consumer Privacy Act as soon as possible.
New: AI regulation with a focus on ADMT
In the context of data protection, clear regulations have been developed specifically for the use of ADMT. The CPPA defines ADMT as any technology that processes personal information and uses calculations to make a decision or significantly facilitate decision-making. This ranges from recommendation algorithms and scoring in lending to the monitoring and analysis of large amounts of data in real time.
One of the biggest challenges when using AI in decision-making systems is transparency. It must be clear which decisions are made automatically and on what basis. This includes disclosing the algorithms and checking for bias or discrimination to ensure that decisions are fair and objective.
The use of AI in decision-making systems also creates new security and data protection challenges. The CPPA emphasizes the importance of cybersecurity audits and risk assessments to ensure that personal data is protected when using such technologies. In addition, the legislation provides that consumers have the right to question or reject certain automated decision-making processes.
Reading tip: Texas wants to set new standards in AI regulation - innovation meets responsibility
Effects of the CCPA on companies
The CCPA requires companies to establish processes that meet the legal requirements. The potential consequences are manifold:
- Changes in data processing and storage: Companies must ensure that only the necessary data is collected and used. Superfluous data storage and processing may violate the law.
- Increased security requirements: Companies must take measures to protect personal data, including security and data protection programs. Particularly sensitive information such as biometric or health-related data requires special security precautions.
- Technical implementation of opt-out functions: The CCPA requires companies to provide technical solutions that allow consumers to easily and effectively protect their privacy. This includes the implementation of a "Do Not Sell or Share" link and the ability for consumers to manage their data directly on the company's website.
- Revise privacy policies: Businesses need to adapt their privacy policies to meet the requirements of the CCPA and be transparent about consumer rights. The privacy policy must be easily accessible and written in clear language.
- Strict rules for third-party providers and partner companies: Companies are required to ensure that their service providers and partners also comply with CCPA requirements. This means that companies will have to make new contractual agreements and checks to ensure compliance.
Failure to comply with the CCPA can have significant financial and legal consequences for companies. The Californian data protection authority can impose fines if companies violate the requirements of the law. These fines can be high and are tied to the number of consumers affected and the severity of the privacy violations.
Source: California Consumer Privacy Act (submitted October 2024)