Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.

On 19 Feb., 18 California legislators published an open letter to the California Privacy Protection Agency criticizing the board's practices in drafting automated decision-making technology regulations under the California Consumer Privacy Act, as modified by the California Privacy Rights Act. 

"We write as Members of the California Legislature to share our comments and concerns regarding the CPPA's Automated Decision Making (ADMT), risk assessment and cybersecurity audit rulemaking, and in particular on the proposed ADMT/AI related regulations," the legislators wrote.

They expressed concerns that the CPPA is acting independently without coordination with the legislature or the governor on drafting CCPA regulations, and that the cost would be excessively burdensome for businesses. 

The CCPA passed in 2018 and took effect in 2020. However, Proposition 24, also known as the CPRA, passed in late 2020 and significantly modified provisions of the CCPA, while mandating creation of the CPPA, the nation's only dedicated privacy rights enforcement agency.

There are now 16 U.S. state consumer laws in effect and, thus, 16 attorneys general to enforce their laws. The critical difference with the CPPA's enforcement of the CCPA is that the agency has only one priority: California privacy law enforcement.

The CPPA was built from the ground up while also drafting regulations consistent with the CPRA mandate. In 2023, the CPPA finalized regulations for some of the CPRA provisions but left the more complicated regulations concerning assessment for high-risk processing, cybersecurity audits and ADMT regulations for Phase 2.

On 8 Nov. 2024, the CPPA voted to advance these Phase 2 draft regulations to public comment, which closed 19 Feb., the same day the legislators published the letter to the CPPA.

The regulations will presumably be finalized sometime this year. Businesses would have 24 months from the date the regulations are effective to complete their first cybersecurity audit and risk assessment, and under the current draft submit an abridged version to the CPPA. Other requirements of the ADMT regulations like pre-use notices and internal assessments to meet the opt-out exceptions would be expected to begin in January 2027.

In the letter, the legislators expressed significant concern that the agency has acted independently on artificial intelligence regulation. They summarized the legislature's activity on AI legislation in the last session and stated, "each of you must work with the Legislature and Governor (Gavin) Newsom to implement the specific statutory authority delegated to the Agency, rather than act alone." They went on to say, "While we recognize CPPA's role in the regulatory setting, the CPPA must avoid operating in a vacuum when developing regulations."

Is this opinion or is it rooted in law?

The CPPA is a creature of the California ballot proposition or "initiative" system of legislating. The grassroots process bypasses the elected legislature, whereby citizens can pass laws by their own initiative with the same effect as if the legislature had done so. Also referred to as "direct democracy," it was approved by California voters in 1911.

The legislators argue the CPPA exceeded its authority by regulating AI. However, the CPRA does not contain any requirements that the agency coordinate or even consult with the legislature on the development of the required regulations.

Section 21 of the CPRA text specifies the CPPA's authority to issue regulations on risk assessments, the cybersecurity audits, and the automated decision making regulations.

Section 21(Section 1798.185 of the Civil Code)(15)(A) states the cybersecurity audit will be performed on an "annual basis," and the regulations to be issued by the agency will define the scope of the audit and establish "a process to ensure that audits are thorough and independent."

Section 21(1798.185)(15)(B) addresses the risk assessment for high-risk processing, specifying that businesses required to submit the risk assessment will do so on a "regular basis." Specifically, the assessment is to include "whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting the processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public. Nothing in this section shall require a business to divulge trade secrets."

Section 21(1798.185)(16) addresses the controversial ADMT regulations, stating the regulations will govern "access and opt-out rights with respect to businesses' use of automated decisionmaking technology, including profiling and requiring businesses' response to access requests to include meaningful information about the logic involved in those decisionmaking processes, as well as a description of the likely outcome of the process with respect to the consumer."

The CPRA provisions do not call for any exceptions to the opt-out right but the agency has included the "human appeal" and the "evaluation" exceptions in their draft ADMT regulations.

The CPRA refers directly to automated decision-making technology but does not define it. That burden was tasked to the CPPA staff attorneys. It is no secret some CPPA board members have voiced concern that the staff attorneys' definition of ADMT was broad.

Are they hinting that ADMT does not mean AI? In public comment at recent public CPPA meetings, there were many direct requests that the agency refrain from regulating AI or ADMT and instead defer to the legislature.

Unfortunately for that point of view, the agency does have a legal mandate to draft and adopt regulations pursuant to the CPRA.

In trying to understand the intersection between AI and ADMT, in an article titled "Automated Decision Making Emerges as an Early Target of State AI Regulation," the law firm White & Case writes, "While there is no uniform definition of 'automated decision making,' it can be understood to mean the use of AI, machine learning systems, and/or algorithms to make decisions without or with minimal human input and control."

Is it possible to draft ADMT regulations that do not impact use of AI by businesses? Probably not.

Where do the ADMT draft CCPA regulations and their definition stand?

According to a recent Debevoise & Plimpton article, "The Draft Regulations define ADMT as 'any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.' The draft regulations also provide that ADMT 'includes profiling.'"

The article states, the "definition of ADMT distinguishes a list of technologies, including firewalls, calculators, or spreadsheets, which are presumptively not considered ADMT, provided they do not execute a decision, replace human decisionmaking, or substantially facilitate decision making.” 

There is no doubt a patchwork of privacy and AI-related laws in the U.S., and there will continue to be until a federal law is passed. There are several other AI-related laws in the U.S. as well as 18 new AI laws in California passed last session, as referenced by the legislators in their letter.

Colorado passed the first and only comprehensive AI law in May 2024, which takes effect in February 2026. Utah has a law regulating generative AI and an Illinois law is focused on AI in the workplace. New York City's local law 144, which requires all employers using AI in recruiting to conduct an independent bias assessment, took effect January 2023.

While understanding the frustration of the California legislators, they will need to pursue their objectives while being mindful of the agency's rulemaking power, vested in it by the direct power of the state's ballot initiative process.

The CPPA will hold its next public meeting 4 April when members are expected to vote on the draft regulations, including possible modifications.

Jennifer Sheridan, AIGP, CIPP/E, CIPP/US, is principal at JLSheridan Law.