Companies subject to the California Consumer Privacy Act (CCPA) have been keeping a close watch on CCPA rule-making activity, particularly the development of new regulations that will restrict certain uses of artificial intelligence. While the California Privacy Protection Agency (CPPA) initially proposed broad-sweeping rules for AI-related technologies, the CPPA has scaled back its revised draft regulations following concerns from industry groups, the California legislature, and Governor Gavin Newsom (see here for an open letter criticizing former draft regulations). The latest modifications to the draft regulations indicate a welcome shift to reduce the burden on businesses. Below, we highlight several key changes to the draft regulations with respect to AI-related technologies, as well as privacy-related risk assessments and cybersecurity audits.
1. Narrower Scope of Regulated AI Use
The draft regulations will apply to automated decisionmaking technology (ADMT) used to make “significant decisions” (those defined by the draft regulation to include decisions related to financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services). The CPPA has revised its draft regulations to narrow and fine-tune the types of activities that will be covered, including as follows:
- The draft regulations now apply only to the use of ADMT, rather than to the use of “artificial intelligence” more broadly: The CPPA’s initial draft regulations were drafted to apply to the use of either ADMT or “artificial intelligence,” with a broad definition of “artificial intelligence.” The proposed regulation of artificial intelligence beyond ADMT was highly criticized as exceeding the scope of the CPPA’s regulatory mandate. Indeed, California legislators argued that the CPPA would exceed its authority by regulating artificial intelligence. The CPPA’s revised regulations now apply only to activities defined as ADMT, rather than to “artificial intelligence” more broadly.
- The defined category of ADMT, moreover, involves technology that substantially “replaces,” rather than merely “facilitates,” human decisionmaking: The CPPA’s initial draft regulations had defined ADMT to include technology that “substantially facilitate[s]” human decisionmaking. This proposed “facilitation” standard met strong pushback for its breadth; some commentators argued that even simple tools like calculators or spreadsheets might fall under the scope of ADMT under such a broad definition. The CPPA’s revised draft regulations now limit ADMT to processing that substantially replaces human decisionmaking, rather than processing that substantially facilitates human decisionmaking.
- “Significant decisions” include decisions resulting in the provision or denial of essential goods or services, rather than access to such goods or services more generally: The CPPA’s initial draft regulations had defined “significant decisions” more broadly to include decisions that result in “access to” essential goods or services, not just decisions that result in the actual provision or denial of such services. The CPPA’s revised draft regulations remove the concept of “access,” following concerns that “access to” was overly broad and could include services like maps apps that route a consumer to a covered service. As a result, significant decisions related to essential goods or services refer more specifically to the provision or denial of such services.
- “Significant decisions” no longer include behavioral advertising: The CPPA’s initial draft regulations had defined “significant decisions” to include profiling a consumer for “behavioral advertising.” The revisions remove this definition from the draft regulations entirely. This is also a welcome update for businesses, especially as the prior draft regulations would have even encompassed first-party advertising activities as ADMT.
2. Certain ADMT Consumer Opt-out and Access Rights Limited
The draft regulations will require businesses to provide consumers with the ability to opt-out of a business’s use of ADMT in certain situations and provide information when consumers seek access to ADMT. The revisions clarify and scale back certain obligations, including as follows:
- Consumers’ ADMT opt-out rights narrowed: The initial draft regulations granted consumers broad rights to opt-out of a business’s use of ADMT. The revised draft regulations narrow the scope of these rights by expanding several exceptions where a business does not have to provide the opt-out right. For example, a business would not need to provide the right to opt-out of ADMT if the business designates a human reviewer to review the output of ADMT and allows the consumer to appeal a significant decision made by ADMT.
- Less information required to be provided in response to a consumer’s request for information about the use of ADMT: The revisions also narrow the scope of information businesses must provide to a consumer who requests access to information about the business’s use of ADMT with respect to them. For instance, the updated regulations clarify that a business is not required to provide trade secrets or information that would compromise the business’s ability to prevent, detect, and investigate security incidents. This modification reflects the CPPA’s likely desire to strike a balance between transparency and the onus of compliance on businesses.
3. Risk Assessment Thresholds Heightened and Required Information Reduced
The draft regulations will require businesses whose processing of consumers’ personal information meets certain thresholds to undertake a formal privacy-related risk assessment before initiating such processing. The revisions simplify these obligations, including as follows:
- Risk assessment no longer required when engaging in “public profiling:” The revisions modify the thresholds for when a business must conduct a risk assessment, such as by removing the requirement that a business conduct a risk assessment when profiling a consumer through systemic observation of a publicly accessible place.
- Risk assessment no longer required to include details on “quality of information:” The modifications also no longer require that businesses implementing ADMT provide in their risk assessments detailed information about actions taken to maintain the quality of personal information processed by ADMT. “Quality of information” was previously extensively defined to include “completeness, representativeness, timeliness, validity, accuracy, consistency, and reliability of the personal information for the business’s proposed use of” ADMT or artificial intelligence. The removal of this previously burdensome requirement significantly reduces the information businesses must articulate in risk assessments.
4. Cybersecurity Audit Requirement Timelines Extended and Board Involvement Removed
The draft regulations will also require covered businesses to conduct annual cybersecurity audits if they engage in activities where the “processing of consumers’ personal information presents significant risk to consumers’ security,” which includes businesses that:
- Process personal information of 250,000 or more consumers or households or the sensitive personal information of 50,000 or more consumers; or
- Derive 50 percent or more of their annual revenue from selling or sharing consumers’ personal information.
The revisions to the draft regulations extend the date by which covered businesses must perform cybersecurity audits from within 24 months of the draft regulations’ effective date to either 2028, 2029, or 2030 depending on revenue thresholds. For example, the revisions require a business to complete its first cybersecurity audit report by April 1, 2028 if the business’s annual gross revenue for 2026 was more than one hundred million dollars. Lastly, neither the cybersecurity audit report nor the certification-of-completion is now required to be signed by a member of a business’s board of directors.
Conclusion
Overall, the CPPA’s latest revisions narrowing the draft regulations demonstrate the agency’s response to concerns about compliance burdens on businesses. The CPPA Board will receive public comments on the revisions until June 2, 2025, as part of a truncated comment period.
