The California Privacy Protection Agency Board voted unanimously 24 July to finalize rules governing the use of automated decision-making technology, risk assessments, cybersecurity audits and insurance under the California Consumer Privacy Act. The board voted 5-0 on the regulations package following more than a year of drafting and debate during the pre-rulemaking and formal rulemaking phases.
The rules have undergone several revisions and faced heavy lobbying from technology and business interest groups, members of civil society and even California Gov. Gavin Newsom, D-Calif. The final vote and full support of the board demonstrated members were able to work through some of its thorniest issues, culminating in the removal of references to artificial intelligence and behavioral advertising in the ADMT text, as well as widening the scope of when ADMT can be used.
Board members cautioned that the rules are meant to be responsive to how technology is used and could be revisited if they do not meet the moment. The rules must be approved by California's Office of Administrative Law before they can take effect.
"I just want to remind everyone that nothing is written in stone. If something turns out not to be workable, that's why we have such a competent team," CPPA Board member Alastair Mactaggart said. "We can always come back and reevaluate it. ... Let's move forward and remove a lot of uncertainty from the regulatory process."
The finalized rules were largely unchanged from the version the CPPA Board sent for a final public consultation in May. The board received hundreds of comments after their final revision.
IAPP Cybersecurity Law Center Managing Director Jim Dempsey analyzed the Cybersecurity Audit Rule shortly after the rules were approved Thursday.
Substance and impact
The final version of the rules will only allow ADMT opt-outs when used in decisions where technologies "replace or substantially replace human decision-making." Human involvement now means a reviewer must know how to interpret an ADMT-driven output, review the output and other information related to the decision, while having the authority to change or correct an the final rendering.
The rules require a risk assessment anytime a business processes data which might present a risk to consumers' privacy. Those instances include the selling or sharing of personal information; processing sensitive personal information; using ADMT for a significant decision concerning a consumer; using personal information to train ADMT for certain uses; and using automated processing to infer attributes about someone during education, job seeking, employment or independent contracting for a business.
Regulations for risk assessments also contain requirements for companies to "identify and document" the personal information their ADMT system will process.
CPPA Executive Director Tom Kemp indicated the rules' projected economic impact on businesses decreased due to the final changes.
The cost to businesses is now projected to be USD4.8 billion over a 10-year period compared to USD10 billion, with those costs expected to decrease over time. But the economic benefits are estimated much higher at USD282 billion over 10 years, largely pegged to a reduction in crime due to the cybersecurity audit and risk assessment requirements.
"By adopting these regulations, the agency can monitor how the regulations are working the industry and consumer vis a vis our privacy mandate, and more quickly make adjustments based on that data," Kemp added.
Stakeholders respond
The rulemaking process has taken place during a contentious debate about how much AI should be regulated in the U.S. at the federal and state levels.
The White House shifted the federal approach to support innovation. U.S. President Donald Trump's administration seeks to limit local laws considered "burdensome" to AI development, first through a proposed congressional moratorium, which was eventually vetoed out of a recent federal reconciliation bill, and now through executive action. Meanwhile, California and other states remain focused on establishing guardrails around broad or targeted AI use and development to better address consumer protection needs.
Reaction to the CPPA's final rules reflect the tension.
Some, including industry group TechNet, maintained that even the slimmed-down requirements would be overly broad and threaten California's business sector, and estimated benefits to the state were overblown.
"We believe the agency should focus on the privacy obligations as a privacy agency, rather than broadly attempting to regulate the use of automated technology and AI," TechNet Executive Director for California and the Southwest Robert Boykin said.
In written testimony submitted during the board meeting, Electronic Privacy Information Center Litigation Director John Davisson indicated the final risk assessment rules had been "hollowed out in troubling ways" compared to prior drafts. EPIC issued a report in June unpacking specific examples regarding how those rules were watered down.
"Unfortunately, as a result of the weakening of those rules, we were forced to devote a significant portion of that report ... to explaining how the CPPA's proposed risk assessment rules come up short and fail to fulfill the statutory goal of 'restricting or prohibiting' unduly risky data practices," Davisson said.
Others decried the agency's decisions to narrow down its ADMT requirements and said the rules failed to address the harms AI can pose to people’s economic and social well-being.
"These tools have the capacity to completely outsource human decision-making with little to no oversight and can be sued to impact the lives and livelihoods of workers," Ivan Fernάndez, a legislative advocate for the California Federation of Labor Unions, said.
Some stakeholders viewed the final package as an improved product, with California Hispanic Chamber of Commerce President and CEO Julian Canete commending the CPPA for the creation of new definitions around ADMT and removal of AI references. Additionally, he asked for the CPPA to consider establishing a single compliance state for businesses subject to the rules.
"As we all know, California is facing several economic challenges, and its small businesses need every possible form of economic relief," Canete said.
Caitlin Andrews is a staff writer for the IAPP.
