The California Privacy Protection Agency Board approved a formal rulemaking process on a package of regulations that includes much-debated rules for automated decision-making technology. The 4-1 vote to advance the package comes after sometimes contentious debate spanning several months and prior board meetings.
The move to formal rulemaking means the public will have another chance to weigh in on the proposed rules and the board will be able to respond to those comments. Also moving with the draft ADMT regulations are proposed rules around annual cybersecurity audits, required risk assessments and insurance company compliance with the California Consumer Privacy Act. The package had sat in the pre-rulemaking stage since March with board discussions on some of the rules dating as far back as August 2023.
The formal rulemaking was not the only news to come out of the agency's 8 Nov. meeting. The board also adopted rules to further spell out provisions and requirements under California's new data broker law, the Delete Act. Those new rules clarify definitions under the broker law as well as registration and transparency requirements.
Additionally, CPPA Executive Director Ashkan Soltani announced at the end of the board meeting that he plans to resign from the agency effective January 2025.
Moving forward on ADMT
The board's vote on formal rulemaking demonstrated most board members have a degree of confidence that some reservations about draft ADMT rules could be addressed during the steps to come.
The formal process will begin when the agency publishes its notice of proposed rulemaking. The public comment period that follows typically lasts for 45 days, but the CPPA staff said they would add additional time. Any substantive changes will trigger an additional 15-day comment period.
The CPPA published recent updates to the draft rules, indicated in blue and underlined text within the document. Staff members estimated the board will be able to discuss feedback and the rules by February 2025.
Debate continues
Opponents of the proposed regulations argue artificial intelligence is changing too rapidly for rules governing its use to be passed, lest they be out of date. They also say the board should wait until the California Legislature takes up AI before finalizing rules.
Legislative efforts on AI have seen mixed results in California thus far. While an AI transparency law passed during the 2024 legislative session, a bill geared toward safety was vetoed by Gov. Gavin Newsom, D-Calif.
The argument struck a chord with CPPA Board member Drew Liebert. The former California Senate president pro tempore argued punting complex AI decisions to the legislature would result in a less thorough deliberative process.
"I was reading a little bit as we were hearing testimony about some of the risks of ADMT, and they are profound," he said. "Many of us are experiencing it now, when you can't actually reach human beings anymore because you are literally talking on the phone to machines, and when you want to get to a human, you cannot do it."
On the other hand, civil rights groups argue the longer the delay, the more people will mistrust AI and risk being hurt by a discriminatory decision affecting someone’s employment, financial, education or health care choice. Consumers continue to be harmed by AI which does not have proper guardrails, according to Consumer Reports Policy Analyst Grace Gedye. She indicated most people are uncomfortable with AI making decisions about their employment or financial futures, pointing to a study Consumer Reports did with NORC at the University of Chicago.
Gedye called attention to tools such as a hiring aid from startup Retorio, which was found to make decisions on a job applicant's worth based on factors such as whether they had a bookshelf in their video interview background.
"These predictive AI systems may, in practice, function poorly," Gedye said. "They may latch onto factors that tend to correlate with the desired outcome, but are not, in fact, important."
CPPA Board Chair Jennifer Urban said further delay risks putting the board at odds with the duties it has been charged with and risks legal complications down the road.
"And it is public record that we have, in fact, been sued on a theory that we have been just too late in promulgating these regulations," she said, referring to its ongoing legal fight with the California Chamber of Commerce regarding data collection rules. "So this is not a question of us just deciding to do this. This is a question of us being mandated to do it."
At issue for most business groups is the proposed cost of the regulations. A regulatory impact assessment conducted by the agency estimates complying with the rules would cost businesses USD3.5 billion and tens of thousands of jobs being lost as they adapt. Proposals to create consumer rights to opt out of their data being used for consumer profiling and training AI also frustrated opponents, who said such rules would hamper advertising.
Agency staff argues in their assessment the economic losses would be short-term and ultimately result in multiple benefits for California, including enhanced legal protections for its residents.
"Simply put, the proposed regulations have high upfront costs, but low ongoing costs, and this shows up in early years as a net cost to the economy," the assessment reads.
The cost did not seem simple to California African American Chamber of Commerce Chair Edwin Lombard. During the public comment portion of the board meeting, Lombard said even if the rules target big companies, they will have downstream effects as well.
"If the companies the CPPA are aiming to regulate leave California, we are gone too," he said. "When big businesses catch a cold, we catch pneumonia."
The lone no vote on the board, Californians for Consumer Privacy founder Alastair Mactaggart, remained adamant the scope of the rules exceeded the intention of the California Consumer Privacy Act. The ADMT rules are scoped through the provisions CCPA.
Mactaggart said the rules should not focus on how a decision was made, but the decision itself. He also argued the risk assessment requirements and the appeal mechanism for the opt-out option will stretch the CPPA's current resources.
"We're setting up a terrible architecture, and nothing about this architecture helps protect privacy," Mactaggart said. "And on the contrary, we're just going to wreak havoc and hurt privacy."
The outgoing executive director
The results of the board meeting move forward a few items on an already lofty agenda for the CPPA in the coming year. All that work will now be overseen by new leadership as Soltani is set to exit the agency he helped build three years ago.
"We're no longer a 'startup' in state government but have skilled Legal, Policy & Legislation, and Admin divisions that can support the Board in many aspects of the Agency’s operations. Enforcement is humming along nicely, as you’re aware in the recent sweep announcements — and we have dozens of open investigations underway which I’m excited about," Soltani wrote regarding his exit on the CPPA's blog.
Soltani, a former chief technologist for the U.S. Federal Trade Commission and senior advisor to the White House, was appointed executive director October 2021 on a 3-2 vote by the board. He has helped the agency step into its enforcement mandate, especially in recent months, and carried previous CCPA rulemakings to completion.
Soltani helped the build the agency itself from the ground up. The CPPA currently carries 45 employees and seven divisions.
"Thanks to his commitment and vision, the CPPA has a solid foundation and has numerous successes to build on for years to come," CPPA Board Chair Urban said in a statement.
There is no official word on whether a replacement will be in place by the time Soltani exits. He said the work toward a "smooth and stable transition" into the agency's "next chapter" is ongoing.
"I am confident the Agency is well-positioned to continue leading California — and the nation — in privacy and consumer protection, setting new standards, shaping policies that put people first, and building a future where individuals’ rights are protected and vigorously enforced," Soltani wrote. "While still at the helm, I will continue to lead the Agency in fulfilling our delegated responsibilities."
Caitlin Andrews is a staff writer for the IAPP.
Editor's note: IAPP News Editor Joe Duball contributed to this article.