On July 24, the California Privacy Protection Agency Board finalized rules on AI-related, automated decision-making technologies (ADMT), cybersecurity audits, and risk assessments, as well as updates to existing CCPA regulations.
These regulations, which were approved by the California Office of Administrative Law on Sept.23, will impact a broad swath of businesses handling personal information of California residents.
Nikki Bhargava, a partner in the Emerging Technologies group at global law firm Reed Smith who advises consumer brands and advertising agencies, spoke to NutraIngredients about what advertisers and brands should know about the current finalization of CCPA regulations as well as what they should be doing to comply.
NI: Do the updated CCPA rules apply to small- and mid-size supplement manufacturers or only to larger enterprises based on revenue thresholds?
Nikki Bhargava (NB): The updated rules continue to apply to companies that meet the same thresholds as before. IT applies to a business that meets any one of the below thresholds:
- As of Jan. 1 of the current year, had an annual gross revenues in excess of $25 million in the preceding calendar year, as periodically adjusted ($26,625,000 for 2025).
- Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
The CCPA also applies to (1) any business that that controls or is controlled by a business that meets one of the thresholds above and shares common branding with such business with whom the business shares consumers’ personal information, and (2) a joint venture or partnership composed of businesses meeting the threshold in which each business has at least a 40% interest.
However, it should be noted that the new cybersecurity regulations only apply to a subset of businesses, namely businesses that:
- Derive 50% or more of annual revenues from selling or sharing consumers’ personal information OR:
- As of Jan 1 of the current year, had an annual gross revenues in excess of $25 million in the preceding calendar year, as periodically adjusted ($26,625,000 for 2025) AND
- Processed the personal information of 250,000 or more consumers or households in the preceding calendar year; or
- Processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year.
NI: If a supplement company collects data only for marketing purposes (e.g., email newsletters, promotions), does that fall within the scope of the CCPA’s revised rules on automated decision making?
NB: For general marketing activities, data collected solely for marketing purposes would not fall within the CCPA regulations applicable to automated decision-making technology (ADMT).
Specifically, the regulations apply where businesses use ADMT (which also includes profiling) to make significant decisions concerning a consumer, where a “significant decision” is a decision that concerns the denial or provision or financial or lending services, housing, education opportunities, employment opportunities or healthcare services. “Significant decision” specifically excludes advertising to consumers.
With that said, supplement companies should note if their marketing includes ADMT or profiling that could be considered “healthcare services” under the CCPA, which is broadly defined as services related to the diagnosis, prevention or treatment of human disease or impairment, or the assessment or care of an individual’s health.
NI: How should a supplement company provide a “pre-use notice” to a consumer browsing its website—is a privacy policy update sufficient or is a pop-up required?
NB: If a supplement company is subject to the ADMT regulations, then a compliant pre-use notice must be provided before or at the time that the business collects the personal information that will be processed using ADMT.
It should be noted that if the business wants to use personal information that it already collected, the business has to provide the pre-use notice to the consumer before the business started processing the previously collected personal information using ADMT. The Pre-Use Notice must be prominent and conspicuous.
Putting the notice in a banner or in the general privacy policy may not be enough, it will depend on the use, how the policy is presented and how information is collected. Additionally, given the specificity required for the notice, businesses may find they need to customize the notice for each ADMT used.
NI: What practical steps should a supplement company take to offer consumers an opt-out from ADMT, especially if they only operate online?
NB: Businesses must offer at least two methods of opt-out. Businesses that operate online must, at a minimum, provide an opt-out link (e.g., “Opt-out of Automated Decisionmaking Technology”) in its pre-use notice to an interactive form.
Generally, businesses should consider the ways in which it interacts with the consumer. For businesses that are exclusively online, they may consider a designated email address as a second opt-out method.
It is also important to ensure that the business can track personal information that is being processed using an ADMT for a significant decision, in order to effectuate the opt-out request properly.
NI: Is there a recommended format or language for the opt-out feature that companies should adopt to ensure compliance?
NB: The language should clearly communicate what the opt-out is for, and the opt-out should be specific. An example title for the opt-out link from the regulations is “Opt-out of Automated Decisionmaking Technology”. Opt-out language should not be bundled with other opt-outs, it should be clear that the opt-out is for the use of ADMT.
NI: If a supplement company uses ADMT to recommend personalized supplement regimens, does that fall under the “significant decision” category that triggers consumer rights obligations?
NB: Supplement companies should look at the data analyzed to personalize the recommendation as well as the relation of the recommendation to the individual’s health and evaluate if the personalization is a service related to the diagnosis, prevention or treatment of human disease or impairment, or the assessment or care of an individual’s health.
With that said, even if the personalization is deemed to be an assessment or care of an individual’s health, the business should ensure that it is truly using ADMT as defined under the regulations to make the recommendation.
NI: What would a pre-processing risk assessment look like for a supplement company using customer data to train a product recommendation engine?
NB: First, the manner of product recommendation should be evaluated to determine if it triggers a risk assessment, such as if the processing involves the sharing/sale of personal information, the processing of SPI, the use of an ADMT for significant decisions, or if personal information is used to train an ADMT for a significant decision, or to train a facial-recognition, emotion-recognition, or other technology that verifies a consumer’s identity, or used to conduct physical or biological identification or profiling of a consumer.
If a risk assessment is triggered, then a risk assessment must include:
- a detailed description of the processing purpose(s) and details,
- risk/benefit analysis for consumers (including physical, reputational and psychological harms)
- mitigation measures taken, and
- consideration of less intrusive alternatives.
The business would need to understand and evaluate detailed operational elements of the processing, including:
- how the information is collected and used and from what sources,
- retention period,
- the number of consumers whose information is processes,
- categories of other parties that may process the data and for what purposes, and
- if ADMT is involved, the ADMT’s logic and output. The risk assessment should also detail safeguards to address negative impacts/risks identified in the assessment.
NI: If a supplement brand sells wearable health tech (e.g., sleep trackers or mood monitors), how should they treat data that could be categorized as “neural data”?
NB: “Neural data” is information that is generated by measuring the activity of a consumer’s central of peripheral nervous system and that is not inferred from nonneural information.
Companies processing data that qualifies as neural data should treat it as sensitive personal information (SPI), including:
- ensuring that the use, disclosure, sharing and sale of SPI is properly disclosed in privacy notices,
- the business offers a right to limit the use and disclosure of sensitive personal information,
- the business conducts a risk assessment before processing SPI, and
- evaluating whether the business must conduct a cybersecurity audit.
NI: Would survey data on consumer wellness goals or mental clarity preferences fall under “sensitive personal information,” given its health implications?
NB: It is possible, depending on the exact questions and information solicited, that survey information about wellness goals or mental clarity could be deemed “sensitive personal information” under the CCPA (and other privacy laws), as it may be personal information that is analyzed concerning a consumer’s health.
