Bipartisan Group of Calif. Legislators Urges Privacy Agency Not to Regulate AI

Small businesses and industry groups also raised red flags at the CPPA’s Wednesday rulemaking hearing. However, a consumer privacy advocate and a labor group representative testified that the state privacy agency has authority and should regulate ADMT.

“The CPPA does not have authority to regulate any AI (generative or otherwise) under Proposition 24 or any other body of law,” said the California lawmakers, referring to the ballot initiative that resulted in the 2020 California Privacy Rights Act. “AI is not included in Proposition 24, and the Legislature has not granted the CPPA authority to regulate AI. The ADMT regulations currently being considered need to be scaled back to focus on the specific issue identified under” the privacy section of California civil code “and avoid the general regulation of AI.”

California Civil Code Section 1798.185(a)(15) requires "regulations governing access and opt-out rights with respect to a business’ use of automated decisionmaking technology, including profiling and requiring a business’ response to access requests to include meaningful information about the logic involved in those decisionmaking processes, as well as a description of the likely outcome of the process with respect to the consumer." Also, California last year enacted AB-1008, which clarifies that personal information under the California Consumer Privacy Act (CCPA) can exist in different formats, including "artificial intelligence systems that are capable of outputting personal information."

The letter was signed by the California Assembly’s Jacqui Irwin (D), David Alvarez (D), Lisa Calderon (D), Diane Dixon (R), Josh Hoover (R), Stephanie Nguyen (D), Blanca Pacheco (D), Darshana Patel (D), Joe Patterson (R), Gail Pellerin (D), Cottie Petrie-Norris (D), Sharon Quirk-Silva (D), Catherine Stefani (D) and Avelino Valencia (D). State Sens. Anna Caballero (D), Tim Grayson (D), Brian Jones (R) and Akilah Weber Pierson (D) also signed. The CPPA didn’t comment Thursday.

The CPPA values the legislature's input, CPPA General Counsel Phil Laird said in an emailed statement Thursday. "The CPPA Board will consider this letter and all the other comments received in support and opposition of the draft regulations as we move through the rulemaking process." Laird added that "public comments and next steps for this rulemaking will be discussed at a future board meeting when the proposed regulations are agendized."

In the letter, the state lawmakers claimed that the CPPA is moving forward knowing that its draft rules could cost $3.5 billion to implement in the first year and $1 billion annually for the next 10 years, while killing 98,000 jobs. “That is nothing to say of the adverse impact on future investment and jobs noted by the analysis that will get moved to other states, or the startups that will get developed elsewhere.”

The legislators noted that they debated and passed many AI bills in 2024 and Gov. Gavin Newsom (D) signed about 20 measures on the subject, while vetoing only a few. “This is a significant public policy issue that the legislative branch will continue to weigh in on in the 2025-2026 session and beyond.” The CPPA isn’t excused from Newsom’s “unequivocal message” that the state “must get this right,” the legislators said. “Particularly when there is so much on the line not just in terms of privacy rights but also other fundamental freedoms, as well as economic, societal, and moral impacts.”

“We disagree with [CPPA] Board Member [Drew] Liebert’s unfortunate suggestion that the Legislature is incapable of adequately legislating AI policy and the Board’s incorrect interpretation that CPPA is somehow authorized to regulate AI,” the lawmakers added. “In truth, each of you must work with the Legislature and Governor Newsom to implement the specific statutory authority delegated to the Agency, rather than act alone.”

The CPPA faced more opposition in a joint letter from industry groups, including the State Privacy & Security Coalition (SPSC), TechNet, the Association of National Advertisers (ANA), Entertainment Software Association, Software & Information Industry Association (SIIA) and the Computer & Communications Industry Association. The California Chamber of Commerce (CalChamber) and state bankers, retailers and restaurant associations were among others that joined the letter.

“We write today with an urgent request to significantly narrow the scope of the current proposed regulations,” the industry groups said. The draft rules “represent an existential threat to California’s business environment,” showing “an extremely concerning disregard for the realistic ability of businesses to meet the cost and operational requirements” from the proposals.

“These 40 pages of regulations carry with them a cost to businesses in the tens of billions of dollars," the groups continued. “While the current economic impact estimate puts them at an already staggering $3.5 billion, this figure only accounts for businesses based in California -- not businesses that are based elsewhere but still doing business in California.” In addition, it’s unclear if the CPPA has authority to regulate ADMT that isn’t high-risk or doesn’t affect privacy, or to get involved with behavioral advertising or AI, they said.

Many of the same groups raised such concerns at CPPA hearings on Wednesday and last month (see 2501150017), as well as in written comments. While the CPPA didn’t immediately post written testimony, Privacy Daily obtained industry comments from SPSC, SIIA, CalChamber and the Securities Industry and Financial Markets Association. The CPPA received more supportive notes from TechEquity and jointly from the Electronic Privacy Information Center (EPIC) with Consumer Federation of America.

CPPA Hearing on ADMT

“Despite what industry argues, the agency has clear authority” to make ADMT rules, EPIC Senior Counsel Sarah Geoghegan testified at the CPPA’s hearing Wednesday. “As is explicitly provided in the [California Consumer Privacy Act (CCPA)], the use of ADMTs in significant decisions is a harmful part of the commercial surveillance ecosystem that can reproduce discriminatory outcomes,” said Geoghegan. “This is especially harmful when the ADMT impacts consumers’ access to health care, education, employment, financial services and public benefits.”

The CPPA should, in fact, strengthen its draft rules, including by modifying the ADMT definition to better cover ADMT’s most frequent uses, extending the opt-out consumer right to use of personal data for training generative AI and ensuring the access right gives consumers “actionable information” about ADMT decisions, she said.

The California Nurses Association also urged that the privacy agency press forward. The CPPA “has the authority and the duty” to make strong rules, said Carmen Comsti, the labor group’s lead regulatory policy specialist. “In healthcare settings, ADMT have been demonstrably prone to serious inaccuracies and biases … The current regulatory vacuum of privacy protections on ADMTs and other algorithmic technology has inappropriately allowed developers and deployers of these tools to violate worker, patient and other consumer privacy rights.”

However, two small business owners raised concerns with the CPPA’s proposal. “If people opt out of receiving automated, data-driven ads,” said Jeff Bond, Inspect.me owner, “I won’t be able to reach the right people. That will be disastrous for my business.” Jerick Sobie, Lucky Feet Shoes co-owner, fears customers won’t navigate several pop-up screens just to get to the company’s website. Larger businesses may be able to afford overhauling their marketing strategies, but not small companies, he added.

Future of Privacy Forum Senior Director Keir Lamont suggested “providing clarity and supporting interoperability with comparable U.S. frameworks.” Focus ADMT rules on high-risk systems, he said. “However, the current guidance as to what qualifies as substantially facilitating a decision remains vague.” Additionally, the CPPA should ensure “low-risk, low-complexity [and] socially beneficial systems are not disrupted” by considering “categorical exceptions, “such as for systems that perform narrow procedural tasks” or handle cybersecurity.

Proposed ADMT rules likely exceed the CPPA’s authority, said Travis Frazier, ANA senior manager-government relations. Additionally, allowing consumers to opt out of behavioral ads would violate the First Amendment by “unreasonably hindering lawful commercial speech.”

The CPPA should hold off regulating insurers because the National Association of Insurance Commissioners is working on a model bill, said Laura Curtis, American Property Casualty Insurance Association assistant vice president. Don’t act until after insurance commissioners complete their work and lawmakers have a chance to adopt their model bill, she said.