The California Privacy Protection Agency is inching closer to completing its latest package of regulations, including those covering automated decision-making technology. But the pressures of regulating ADMT continue to generate lengthy discussion for the CPPA Board, which considered further amendments to the agency's draft regulations during its 4 April meeting.
Among the notable modifications offered by CPPA staff were a change to the definition of ADMT and removing behavioral advertising from ADMT and risk assessment requirements. The board also directed CPPA staff to remove a selection of categories in scope for provisions covering significant decisions. Those were conditionally approved by the board but will receive final approval at the next meeting.
In addition to specific proposed changes, the board directed staff to look at Colorado's AI Act, slated to come into effect next February, for areas of possible alignment around how risk assessments are handled.
Consideration of further amendments means further delay on the final rules package covering ADMT, risk assessments and cybersecurity audits is likely.
CPPA staff brought six topics they wanted more feedback on before presenting a final set of changes in May. Another 45-day comment period would open if the changes are determined to be substantial enough. The board has until November to submit a final package to the Office of Administrative Law.
Existing friction
The proposed changes reflect a goal to align U.S. state-level AI regulation and avoid fragmentation under a patchwork of laws. They also seek to address tension regarding the potential stringency of proposed AI regulation, as the White House is building momentum to pivot from a more safety-focused regulatory approach to one that champions innovation.
Some opponents, including board member Alastair Mactaggart, said the draft rules go beyond the CPPA's authority to regulate privacy by also putting constraints on AI. Mactaggart said the board spent nearly two years arguing about the rules without making substantial progress on his and others’ concerns.
“We are now on notice that if we pass these regulations, we will be sued repeatedly and by many parties,” he said at the 4 April meeting.
But other members said passing less stringent rules for fear of litigation could constrain the board from doing its job.
"I'm just going to be really frank, the conversation we’re having right now is inviting litigation,” Jennifer Urban said later. "It's basically like, come and sue us, regardless of whether you have a claim that is worth anything at all, so any litigation risk is not the standard I'm worried about."
The path forward
It remains to be seen if the changes will soothe some of the concerns from industry stakeholders, who have indicated the rules will hurt their members and hamper AI progress. CPPA staff reported more than 1,664 pages of written comments were submitted, in addition to hours of testimony received during a winter public hearing.
Many public commenters speaking during the April meeting advocated for alternatives to the text they preferred.
California Hispanic Chamber of Commerce President and CEO Julian Cañete supported changing the risk assessment requirements and provisions on public profiling, but also asked that all regulations have an effective date of 1 Jan. 2028 rather than just the cybersecurity rules.
"We believe the changes we are asking for, if adopted, are steps in the right direction and will help minimize the impact to businesses in California," he said.
Other stakeholders, including Tech Equity Research Manager Swati Chintala, urged the board to focus on protecting the public from AI-related harm.
"The board must use this rulemaking process to balance the industry's immense power with the necessity of privacy and data protection for Californians," Chintala said.
Caitlin Andrews is a staff writer for the IAPP.
