On November 8, 2024, the California Privacy Protection Agency (CPPA) voted 4-1 to proceed with formal rulemaking regarding automated decision-making technology (“ADMT”), which the draft regulations define as “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.”  If enacted, the regulations would impose sweeping requirements on employers who rely on assistance from artificial intelligence (AI) tools in making “significant employment decisions,” which the regulations define to include “[h]iring; [a]llocation or assignment of work; salaries, hourly or per-assignment compensation, incentive compensation such as bonuses, or other benefits [];[p]romotion; and [d]emotion, suspension, and termination.”  The draft regulations take a similar approach to laws that have been enacted in New York and Colorado, in that they require certain disclosures and risk assessments, and require that employees and applicants be able to opt-out of being evaluated by AI in some contexts. 

The key elements of the draft regulations include the following:

  • Pre-Use Notice – Employers that use ADMT for significant employment decisions must inform “consumers”—which includes not only employees, but also independent contractors, and job applicants—about the employer’s use of ADMT, the consumer’s right to opt-out of ADMT, and the consumer’s right to access ADMT prior to the employer’s processing of any personal information.
  • Bias Review – Employers that use physical or biological identification or profiling for a significant employment decision must conduct a bias review to ensure that the software does not discriminate based on “protected classes” (which is undefined in the current draft).  It is unclear from the draft regulations whether the audit would need to assess the tool’s effects on that particular employer’s decision-making.  In New York City, for example, employers may rely on bias audits that use data from other entities in some contexts (e.g., if the employer has never used the tool before or has shared its data to the auditor for inclusion in the audit). 
  • Opt-Out – Employers “must provide consumers with the ability to opt-out of ADMT” for significant employment decisions.  However, employers may deny an opt-out request for decisions regarding hiring, allocation of work, and compensation if the ADMT has “accuracy and nondiscrimination safeguards,” meaning the employer “has conducted an evaluation of” and “implemented policies, procedures, and training to ensure that the automated decisionmaking technology works as intended for the business’s proposed use and does not discriminate based upon protected classes.”
  • Cybersecurity Audits –Employers that use ADMT for significant employment decisions must complete an annual cybersecurity audit to, among other things, “assess and document the effectiveness of” the employer’s cybersecurity program “in preventing unauthorized access, destruction, use, modification, or disclosure of personal information,” “[i]dentify and describe in detail the status of any gaps or weakness” in the employer’s cybersecurity program,” and “[d]ocument the business’s plan to address the gaps and weaknesses.”  Businesses must use “a qualified, objective, independent professional” that may be “internal or external to the business.” 
  • Risk Assessments – Employers that use ADMT for significant employment decisions must complete a risk assessment within “24 months from the effective date of the[] regulations,” and thereafter must complete a risk assessment “every calendar year” before initiating the processing of personal information “to determine whether the risks to consumers’ privacy from the processing of personal information outweigh the benefits to the consumer, the business, other stakeholders, and the public.”  Employers must submit the annual risk assessment to the CPPA.  Among other requirements, the risk assessment must “identify [the] purpose for processing consumers’ personal information” (which “must not be identified or described in generic terms, such as ‘to improve our services’ or for ‘security purposes’”); the “method for collecting, using, disclosing, retaining, or otherwise processing personal information”; “the negative impacts to consumers’ privacy associated with the processing”; and “safeguards that [the employer] plans to implement to address the negative impacts.”

Now that the CPPA has published its notice of proposed rulemaking, the public comment period begins.  The CPPA requested that the standard 45-day public comment period be extended due to the holidays.  Thus, comments will be due in early 2025, but no specific date has been set. 

We will continue to monitor these developments.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jonathan Slowik Jonathan Slowik

Jonathan Slowik is a special counsel in the Labor Department and a member of the Employment Litigation & Counseling Group.

Photo of Jennifer McDermott Jennifer McDermott

Jennifer McDermott is an associate in the Labor & Employment Law Department and a member of the Employment Litigation & Arbitration Practice Group and Counseling, Training & Pay Equity Practice Group.  Jennifer defends employers in a variety of labor and employment matters in…

Jennifer McDermott is an associate in the Labor & Employment Law Department and a member of the Employment Litigation & Arbitration Practice Group and Counseling, Training & Pay Equity Practice Group.  Jennifer defends employers in a variety of labor and employment matters in both state and federal courts, including wage and hour single-plaintiff lawsuits and class, collective, and Private Attorneys General Act (PAGA) representative actions.

Jennifer received her B.A. from UCLA, where she graduated summa cum laude and was elected Phi Beta Kappa, and she earned her J.D. from UCLA School of Law. While in law school, Jennifer completed a judicial externship for the Honorable Richard A. Paez of the U.S. Court of Appeals for the 9th Circuit. She also served as a legal writing advisor to first-year students and worked as a legal advocate at the Lanterman Special Education Law Clinic. Jennifer received a Dean’s Merit Scholarship, the B. Epstein and C. Kim Tax Law Scholarship, and two Masin Family Academic Excellence Gold Awards for the highest grade in Legal Research & Writing and Disability Law.

Photo of Guy Brenner Guy Brenner

Guy Brenner is a partner in the Labor & Employment Law Department and leads the Firm’s Washington, D.C. Labor & Employment practice. He is head of the Government Contractor Compliance Group, co-head of the Counseling, Training & Pay Equity Group and a member…

Guy Brenner is a partner in the Labor & Employment Law Department and leads the Firm’s Washington, D.C. Labor & Employment practice. He is head of the Government Contractor Compliance Group, co-head of the Counseling, Training & Pay Equity Group and a member of the Restrictive Covenants, Trade Secrets & Unfair Competition Group. He has extensive experience representing employers in both single-plaintiff and class action matters, as well as in arbitration proceedings. He also regularly assists federal government contractors with the many special employment-related compliance challenges they face.

Guy represents employers in all aspects of employment and labor litigation and counseling, with an emphasis on non-compete and trade secrets issues, medical and disability leave matters, employee/independent contractor classification issues, and the investigation and litigation of whistleblower claims. He assists employers in negotiating and drafting executive agreements and employee mobility agreements, including non-competition, non-solicit and non-disclosure agreements, and also conducts and supervises internal investigations. He also regularly advises clients on pay equity matters, including privileged pay equity analyses.

Guy advises federal government contractors and subcontractors all aspects of Office of Federal Contract Compliance Programs (OFCCP) regulations and requirements, including preparing affirmative action plans, responding to desk audits, and managing on-site audits.

Guy is a former clerk to Judge Colleen Kollar-Kotelly of the US District Court of the District of Columbia.