The California Privacy Protection Agency Board approved a revised package of draft regulations covering automated decision-making technology, cybersecurity audits and risk assessments for a second round of public comments during its 1 May meeting.

Updates to the draft rules were presented to the CPPA Board after it requested agency staff revise the prior draft regulations and scale down their scope at its previous meeting 4 April. Public comments on the updates is due 2 June as part of a truncated comment period proposed by the board, which deemed the changes to the regulations "substantial and sufficiently related" to the original draft regulations.

CPPA Board members generally viewed the changes as reducing burden for businesses from a compliance perspective. The latest draft completely removes the term "artificial intelligence" after board members agreed it should be removed to leave the state legislature space to craft a comprehensive state AI law similar to the Colorado Artificial Intelligence Act. 

An economic analysis provided by agency staff estimated direct costs for businesses would drop 64% to USD1.24 million from the prior iteration of the regulations discussed in April.

CPPA Board Chair Jennifer Urban applauded agency staff for quickly fine-tuning several of the regulations over the last month, but wanted to ensure civil society stakeholders' concerns were not getting lost in the shuffle.

"(CPPA) staff (both) broadly speaking, and in many specifics, have made very good, careful choices that are in line with the board's expectation," Urban said. "They do pull the regulations back from consumer protection and in favor of businesses further than the board's guidance in early April … We've really cut to the bone in terms of what is in line with the statute's requirements."

Key changes

The updated draft ADMT regulations include changes to the definition of such tools, as well as the definition of a "significant decision" the technology would render. Other ADMT regulation updates include streamlining pre-use notice requirements by allowing them to be combined with notices at collection and refining opt-out exceptions for human appeals of certain decisions.

For risk assessment regulations, the CPPA Board approved the removal of language that would have required companies deploying ADMT or AI to detail mitigation measures undertaken to ensure the "quality" of the personal information that the system will process. Instead, the new language requires companies to "identify and document" the personal information their AI or ADMT system will process.

Additionally, the risk assessment requirements were fashioned similar to the provisions under Colorado's AI Act. The regulations now feature a hypothetical example of how a business complying with Colorado law can ensure they meet California's proposed requirements.

Board member Dr. Brandie Nonnecke referenced proposed Senate Bill 813, which would create a multistakeholder panel to establish the criteria for risk assessments, and Assembly Bill 1405 that would establish qualifications for cybersecurity and risk assessment auditors, as solutions that would help define what these regulations would look like in practice.

"I am sympathetic to businesses being compelled to do risk assessments under the uncertainty that the third party is actually doing due diligence," Nonnecke said. "So more clarity around what does a risk assessment actually look like would be helpful."

Revisions to the draft cybersecurity audit rules include consolidating reporting requirements, clarifying certification-of-completion requirements and removing certain explanatory provisions.

The board has until November to approve the regulations and submit the final package to the Office of Administrative Law.

Minor adjustments

In approving the regulations to be released for additional public comment, CPPA Board members made several minor requests for agency staff to revise ahead of the opening of the public comment.

For instance, board member Drew Liebertasked the agency to produce further economic analysis if the cybersecurity audit requirements for business grossing more than USD1 billion in revenue were bumped up a year from the originally proposed deadline of 1 April 2028. The auditing deadline for businesses grossing between USD100 million and USD1 billion would remain in place for 2028, with the gross revenue threshold falling the next two subsequent years to eventually capture all businesses.

"A couple of years (to produce a cybersecurity audit), if you’re a billion dollar-plus company, is plenty of time, and we've already been talking about this for three years." Liebert said. "We can always adjust the deadlines if we need to."
Alex LaCasse is a staff writer at the IAPP.