One notable difference between the California Consumer Privacy Act (CCPA) and Europe’s General Data Privacy Regulation (GDPR) is that only the latter provides the right for individuals to not be subjected to automated decision-making, including profiling, which has legal or other significant effects on that individual.
But, the CCPA still creates issues for covered entities operating in the artificial intelligence (AI) and machine learning (ML) space. For example, how does one comply with an individual’s request to delete their data–the so-called right to be forgotten–with respect to a “black box” ML model that used that individual’s personal information as training data? When is a consumer’s data sufficiently “aggregated” or “deidentified” such that its use in a ML model escapes the CCPA’s scope?
If one thing is certain, it is far better to take a proactive approach and address these questions early in the design and development of new products and services. Be sure to invite the appropriate stakeholders to that conversation, including your attorney!