Calif. Businesses Say Draft Privacy Agency Rules Could Be 'Disastrous' for AI

California’s privacy agency is working on rules related to cybersecurity, risk assessments, ADMT and updating California Consumer Protection Act measures. The commission voted Nov. 8 to commence the formal rulemaking. While written comments were originally due the same day as the hearing, the CPPA decided Friday to add a second hearing, on Feb. 19, and extend comments to the same day due to the wildfires in parts of the state (see 2501130008).

“We believe that the agency should focus on [its] primary obligations as a privacy agency rather than broadly attempting to regulate the use of automated technology and AI,” said TechNet Executive Director Dylan Hoffman during the hearing: Leave that to the legislature.

Rule changes that expand CPPA authority over ADMT “have no basis in statute,” agreed NetChoice lobbyist Shane LaVigne. He joined many business groups complaining about what they see as an overly broad proposed definition of ADMT. Regulating “essentially all computational technology … would be disastrous for California’s AI development.” Restricting first-party advertising through draft rules on behavioral ads would also exceed the agency’s authority and have “major First Amendment implications,” while raising costs for businesses and consumers, he added.

Proposed behavioral advertising rules exceed CPPA authority, concurred Digital Advertising Alliance CEO Luigi Mastria. The CCPA regulates third-party ads but provides no right to limit a business from processing data to market to its consumers. “The agency's proposed regulations regarding behavioral advertising are nothing more than an attempt to regulate -- call it what it is -- first-party advertising.”

The California Privacy Rights Act says the state should strengthen privacy rights over time, not dilute them, countered Jacob Snow, a senior staff attorney at the American Civil Liberties Union of Northern California. Rules are required as algorithmic systems become more ubiquitous, said Snow: Without guardrails, such systems can “magnify and expand threats to rights, health and safety.”

Snow disagreed that a consumer’s opt-out right under the CCPA should exclude behavioral advertising. A privacy law shouldn't have a behavioral advertising exception for the same reason an environmental law shouldn't have a coal mining exception,” he said. “Behavioral advertising drives an immense and invasive surveillance system that puts people at risk.”

The proposed rules are clearly within the agency’s statutory authority, agreed Rindala Alajaji, Electronic Frontier Foundation legislative activist. It should continue adding rules and closing loopholes, she added. Provide strong opt-out rights for the most harmful applications of ADMT and don’t let exceptions for trade secrets undermine transparency efforts, the EFF official said.

Many California-based business groups lined up in opposition to the proposed rules, including Biocom California, Silicon Valley Leadership Group, Civil Justice Association of California, the California Chamber of Commerce and state chambers for Hispanic, African American and Asian Pacific businesses.

"These regulations you are pushing have real-life economic impact on many Californians,” said Edwin Lombard, former president of the California African American Chamber of Commerce. “If you overregulate, California and these companies will take their jobs to Arizona, Texas or other states."

But labor groups voiced their support for ADMT rules. With AI expanding across workplaces in every industry, it’s important to pass “true guardrails … for workers,” said Ivan Fernandez, a California Labor Foundation lobbyist. The CPPA would be fulfilling its mandate by regulating ADMT to protect workers and renters, said Swati Chintala, labor research manager for TechEquity.

Strippers United supports ADMT regulations to expand protections for workers most vulnerable to exploitation, said NatsHoney, the labor group’s president. “Online platforms often take a disproportionate share of our earnings and yet workers are excluded from decisions about automated technologies that impact hiring, firing, compensation and monitoring,” she said: That can have “profound economic, psychological and discriminatory consequences.”

However, national industry groups warned of many possible unintended consequences of the rules. For example, it's possible that consumers will be bombarded with notices from apps, causing fatigue, said Caleb Williamson, state public policy associate at ACT|The App Association. Ad-based free and low-cost services will move to subscription models, warned Chamber of Progress Robert Singleton, senior director of policy for California.

Letting consumers opt out of ADMT for profiling would require that businesses “entirely redesign their services,” cautioned Anton Van Seventer, privacy counsel for the Software and Information Industry Association. Opting out of ADMT training will hamstring startups using products from larger tech companies, who in turn will find it tough to comply, he added.

Training AI systems isn’t inherently problematic, stressed Meghan Pensyl, policy director for BSA|The Software Alliance. "Thoroughly training AI systems on diverse sets of data produces more accurate and more fair outputs and can help reduce risks of algorithmic discrimination.” Jesse Lieberfeld, Computer and Communications Industry Association policy counsel, said that proposed rules like requiring more risk assessments for ADMT won’t meaningfully improve consumer privacy -- but they will inhibit businesses from innovating.