Calif. Privacy Agency Chair Fears Staff Pared ADMT Draft 'to the Bone'

Significant revisions released by the agency late Wednesday exorcised the terms “artificial intelligence” and “behavioral advertising” from its proposed rules, among other big changes. The changes followed the CPPA board agreeing at its April 4 meeting to significantly narrow the proposed rules, including by removing behavioral ad requirements and revising the definition of ADMT (see 2504040043).

Thursday’s meeting occurred a week after Gov. Gavin Newsom (D) sent a letter reminding the agency that its authority isn’t “unbounded” and that proposed ADMT rules could have unintended consequences, increasing costs and threatening tech innovation in the state (see 2504280037 and 2504250002). A bipartisan group of 18 California state legislators issued a similar warning in February (see 2502200025).

“Staff has proposed revisions to the regulations that potentially reduce compliance burdens and costs for businesses and to take a more incremental approach," reflecting the board's "policy preferences shared during the April meeting,” CPPA General Counsel Phillip Laird told the board Thursday. However, he said the board retains “the discretion to revert to more robust protections for consumers in the regulations. And to be clear, the agency has the authority to promulgate regulations that provide more robust protections for consumers’ privacy, even if there is a higher cost associated with it."

Urban said she was impressed with how CPPA staff "significantly revised these regulations" within one month of the board’s last meeting. However, the chairperson raised concerns that the revised draft rules “pull the regulations back from consumer protection and in favor of businesses further than the board's guidance in early April." Urban’s “worry … is that the current implementation deadlines, along with some of the narrowing, isn't taking into account the cost on the opposite side,” that is consumers.

The revised proposal leaves "it appropriately to the legislature to work on these challenging policy issues," said Drew Liebert, another board member. "I'm all for negotiating a reasonable set of regulations and I know we've met that test. This is definitely reasonable, and I just hope we haven't gone too far.”

The revisions reduced the estimated first-year costs for businesses of the proposed rules to $1.2 billion, a 64% reduction from the previous draft, said Lisa Kim, CPPA senior privacy counsel. A large part of the reduction comes from the revised ADMT rules, she said. The cost from that section alone declined 83%, to $143 million, from $835 million in the previous draft, said Kim: It’s mainly because only 10% of firms subject to the California Consumer Privacy Act would now still be covered under the revised ADMT draft rules.

Urban said the 10% figure was a surprise, though Jeffrey Worthe, a board member, said he was comfortable with it. “We can always adjust in the future,” he said. “I'd rather start at a lower place than a higher one.”

The CPPA could open a 15-day comment period on the updated draft as soon as May 6, said Laird. However, board members debated how much time to give for comments. They didn’t reach a decision before our deadline Thursday.

Worthe said 15 days from May 6 seemed like enough time, considering the draft technically came out April 30. However, the board’s Alastair Mactaggart said he’d rather give stakeholders more time to digest. Laird said 15 days is what’s statutorily required; he recommended not exceeding 30 days since the agency only has until November to finalize the rules for submission to the Office of Administrative Law.

Changes Follow Governor’s Warning

The updated draft contains “substantial changes … that are things that businesses -- and some members of the CPPA -- have been advocating for that bring the draft CPPA regulations from being nearly impossible to practically implement to at least being plausible,” McDermott privacy attorney David Saunders emailed us Thursday before the board meeting.

“For example, the CPPA draft has stripped out all of the AI regulations; the ADMT definition is much tighter and better defined, and there have even been changes to the form, format and process for both cybersecurity evaluations and risk assessments,” he said. While it’s not back to square one, “the latest draft presents a very different set of regulations than we were looking at even last month.” Newsom’s recent letter might have “something to do with the changes."

Newsom’s letter to the privacy agency was a rare warning shot from the governor, said Fisher Phillips lawyers in a Monday blog post. “Newsom is not the only one offering a cautious opinion about the draft regulations,” as they stood before Wednesday’s update. The lawyers referenced media reports saying that many major tech companies and business groups warned that the rules could drive out AI from the state (see 2501150017)

Consumer groups urged the CPPA to stay the course in statements earlier this week. “We are at a major crossroads in California’s battle over data privacy protections,” wrote Consumer Watchdog’s Justin Kloczko in an email newsletter Tuesday. “Forces within the privacy agency and Gov. Gavin Newsom, under pressure from powerful business interests, are pushing to scale back these seminal protections.”

The CPPA has "been spending a lot of time listening and learning from stakeholders,” said Tom Kemp, appointed last month as the CPPA’s new executive director, in an update to the board at the beginning of the meeting. “We will continue to listen to stakeholders and strive to strike the right balance between enabling the most robust privacy protections for all Californians and innovation so that … California has the best of both.”