EPIC Advises California Privacy Agency on Automated Decision-Making Systems, Risk Assessments, Emergency Data Requests

EPIC staff urged the California Privacy Protection Agency to adopt strong, privacy-protective regulations under the state’s new data protection law during a series of stakeholder sessions held this week.

EPIC Counsel Ben Winters recommended a broad definition of “automated decision making technology” covered by the California Privacy Rights Act and a risk-tiered approach to regulating such systems. Winters called for stricter requirements and enforcement for automated decision making tools that collect sensitive information; are used to profile or purport to recognize faces or emotions; or are used in certain high-risk contexts like housing, hiring, and education.

EPIC Senior Counsel John Davisson urged the CPPA to ensure that risk assessments required under the CPRA are conducted early and often; are made available to the public; and consider the full range of harms that the processing of personal data can cause.

EPIC Law Fellow Chris Frascella warned the agency about the risk of hackers obtaining personal data through fake emergency data access requests and suggested safeguards to prevent abuse.

In Fall 2021, EPIC, Consumer Action, the Consumer Federation of America, and New America’s Open Technology Institute filed comments urging the agency “to continue ‘protect[ing] consumers’ rights’ and ‘strengthening consumer privacy’ at every opportunity, consistent with the expressed will of California voters.” The CPPA is expected to publish final regulations in late 2022.