Comments to the California Privacy Protection Agency’s Proposed AI Regulations
The California Privacy Protection Agency (CPPA) has proposed regulations that would impose new requirements on businesses using automated decision-making technology. The CPPA’s proposal oversteps its authority, transforming an already overbearing data privacy law into excessive AI regulation.
It requires businesses to conduct risk assessments, provide detailed disclosures, and offer broad opt-out rights, effectively regulating AI development and use. The overbroad definition of ADMT captures low-risk tools, creating costly compliance burdens with little consumer benefit. The requirement that businesses become immediately responsible for the new rules after CPPA publishes them gives businesses no time to adapt, forcing rushed compliance or abandonment of ADMT. Moreover, by acting unilaterally, California is adding to regulatory fragmentation at the state level and complicating efforts to establish a coherent national AI governance framework.
