The U.S. Chamber of Commerce (“Chamber”) respectfully submits the following comments in response to the California Privacy Protection Agency’s (“Agency”) May 9 Notice of Modified Proposed Rulemaking (“Proposed Rules).[1] The Chamber supports privacy protections for all Americans; many of the Proposed Rules[2] , however, exceed the Agency’s statutory authority, and its requirements, particularly those requiring privacy risk assessments and Automated Decision-making Technology (“ADMT”), will harm economic growth and innovation, and will be especially burdensome for small businesses. Our comments incorporate by reference the same policy, legal and economic arguments as incorporated by reference in our January 2025[3] comments (“January 2025 Comments”) to the Agency unless otherwise noted. Also given the short window for comments from publication, we urge the Agency to consider comments beyond the June 2 deadline for the record.
I. Introduction, Costs, and Burden on Interstate Commerce
The Chamber is the world’s largest business organization, representing businesses of all sizes across the country. The Chamber wishes to express concerns that the Proposed Rules on Cyber Audits, Risk Assessment, and ADMT impose an undue and impermissible burden on interstate commerce. Furthermore, the costs of the Proposed Rules outweigh the benefits.[4] According to the State of California’s own analysis, the Proposed Rules will impose a $1.2 billion direct cost on businesses subject to the CCPA.[5] In comparison, the Congressional Review Act defines a federal “major rule” as one that has “an annual effect on the [United States] economy of $100,000,000 or more.”[6]
The Proposed Rules will have an outsized and significant impact on the national economy, particularly regarding AI. Between 2013 and 2023, private investment in AI has amounted to $335.2 billion[7] with many of the leading AI developers operating in California. Although the Modified Proposal Rules strike direct references to the term “Artificial Intelligence,” it is very likely that AI systems will continue to be regulated under the definition of “automated decision-making systems” (“ADMT”) For this reason, we believe that the cost of implementing ADMT rules will be much higher than the $143 million cited by the Agency.
II. Definitions
A. Automated Decision-making Technology and Significant Decision
The Chamber appreciates the Commission has decided to strike the term “Artificial Intelligence” from the Modified Proposed Rules. We share many of the concerns Governor Newsom highlighted about the lack of authority of the CCPA to make rules regarding AI. [8] However, we continue to have concerns about the definition of ADMT. The proposed definition is overly broad and not sufficiently tailored to focus on high-risk tools that operate without human oversight. We are further concerned with Section 7001(ddd)(4)(B) definition of “significant decision,”
First, we recommend discussions to ensure alignment between proposed state AI legislation and this rulemaking to avoid conflicting definitions of "consequential" and "significant" decisions, which create uncertainty and duplicative compliance burdens for regulated entities.
Additionally, the proposed definition of “significant decision” includes “allocation of assignment of work.” The allocation of assignment of work should not give rise to an AMDT opt-out as it is not a significant impact in that way that automated decisions related to hiring, promotions, or terminations may be. For this reason, we encourage CPPA to strike “allocation of assignment differing from automated decisions related to hiring, compensation, promotions, or terminations.
We further request clarification on the term “automated” within Section 7001(ee), as it is not defined. We request clarification of what is meant by “resources” under Section 7001(t) and recommend clarifying if the intent is to cover electronic systems. The proposed insertion of information systems of third parties not owned by the Business in Section 7001(t) should be excluded from the definition.
III. Privacy Risk Assessments (Article 10)
A. When a Business Must Conduct a Risk Assessment
Although we continue to incorporate by reference the concerns in our January 2025 Comments related to when risk assessments should be conducted, there remain concerns about the statutory authority and impact of the newly inserted Section 7150(b)(4) and (5). We suggest striking this language entirely. The Act already regulates the use of data collected from geo-trackers that identify a consumer’s precise geolocation, regardless of the location. As sensitive data, a controller must still conduct a risk assessment (per these regs) and provide an opt out. The overbreadth would capture low risk activities such as providing discounts
IV. Cybersecurity Audits (Article 9)
As noted in our January 2025 comments, we reiterate that the Agency should recognize that equivalent audits for other jurisdictions undertaken by businesses should be deemed in compliance with the CPPA. We generally continue to believe that audits should only be required every three years.
V. Automated Decision-making Technology (Article 11)
A. Article 11 Generally
The Chamber remains concerned that the proposed rule would duplicate several existing regulatory efforts in California. We align with Governor Newsom's perspective, as articulated in his letter to the Agency dated April 23rd, emphasizing the necessity for the board to "fulfill its obligations to issue the regulations called for by Proposition 24 without venturing into areas beyond its mandate.[9]" Additionally, we draw attention to a letter from State legislators to the board on February 19th, which asserts that "the ADMT regulations currently being considered need to be scaled back to focus on the specific issues identified under Civil Code Section 1798.185 and avoid general regulations on AI.[10]"
The Chamber shares these concerns, noting that multiple simultaneous regulations throughout the State pose significant challenges for the business community, creating unnecessary confusion and potentially conflicting rules. Therefore, we believe that no further actions should be taken regarding Automated Decision-Making Technology until the agency has appropriately aligned with the Governors' and State Legislatures' letters to the agency. Should the agency move forward, provide the following feedback regarding ADMT.
B. Scope of ADMT Regulation
We believe the scope of the ADMT regulation is problematic and potentially duplicative with other rules and regulations within the state. As stated above, we also believe the CPPA’s regulations exceed the scope of the voter-approved statute.
C. Notification Requirements and Fraud
The Chamber is concerned that the requirement within 7221(g), which mandates a business to inform a consumer why their request was deemed fraudulent, could provide a roadmap for bad actors to infiltrate their systems.
D. Pre-Use Notice Requirements
The proposed rule requires businesses to explain detailed uses and purposes for ADMT, which is considered excessively burdensome. We further believe that CPPA does not have the statutory authority to regulate pre-use notices. We once again highlight our concerns with the prohibition of standard business terms such as “to improve our services” is overly restrictive. We are concerned that pre-use notice requirements could compel companies to disclose trade secrets and sensitive business information.
The current draft’s removal of the opt-out exclusion in §7221(b) for a business’ use of ADMT for fraud prevention and security-related purposes is problematic and contrary to business’ ability to use appropriate technical measures to safeguard personal and confidential information by analyzing potential threats using ADMT and potentially identifiable personal information, such as IP addresses. Individuals opting out for this purpose may be more likely to be bad actors, whose activity would then be excluded from analysis. Accordingly, we recommend this exclusion be reinstated. Finally, we are concerned about the compliance timeline for the changes to the existing regulations and the risk assessments.
The changes to the existing regulations include some significant additional requirements, such as a process for consumers to confirm certain sensitive data elements. This will require technology solutions that will take time and resources to develop. We urge you to give businesses until January 1, 2027 to come into compliance with the amendments to the existing regulations. This will match the compliance date of the existing regulations.
For the risk assessments, although the initial risk assessment is not due until December 31, 2027, there is ambiguity related to new processing and material changes to processing. Accordingly, we recommend the following changes: (a) for all processing requiring a risk assessment that a company is engaged in prior to December 31, 2027, the risk assessment would be due on December 31, 2027; (b) for any new processing initiated after December 31, 2027 that requires a risk assessment, the risk assessment must be done prior to initiation; and (c) any material change after December 31, 2027 to processing requiring a risk assessment, such risk assessment must be updated within 45 calendar days.
If you have any questions, please contact Jordan Crenshaw at jcrenshaw@uschamber.com. For questions concerning Article 9, please contact croberti@uschamber.com.
Sincerely,
Jordan Crenshaw
Senior Vice President
Chamber Technology Engagement Center
U.S. Chamber of Commerce
Christopher D. Roberti
Senior Vice President
Cyber, Space, and National Security
Policy Division
U.S. Chamber of Commerce
[1] California Privacy Protection Agency—Notice of Modified Proposed Rulemaking (May 9, 2025) available at https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_notice.pdf.
[2] CALIFORNIA PRIVACY PROTECTION AGENCY – PROPOSED TEXT OF REGULATIONS (CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations) (Nov. 2024) available at https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_ins_text.pdf.
[3] Comments of U.S. Chamber of Commerce to CCPA (January 14, 2025) available at https://www.uschamber.com/assets/documents/Comments_CCPA_CaliforniaPrivacyProtectionAgency.pdf.
[4] See e.g. Minnesota v. Clover Leaf Creamery Co, 449 U.S. 456. 471 (1981).
[5] Potential Modifications to Proposed Regulations (May 1, 2025) available at https://cppa.ca.gov/meetings/materials/20250501_item4_presentation.pdf.
[6] 5 U.S.C. § 804(2).
[7] Charted, U.S. is the private sector A.I. leader, Axios (July 9, 2024) available at https://www.axios.com/2024/07/09/us-ai-global-leader-private-sector.
[8] Letter from Governor Newsom to CCPA (April 23, 2025) available at https://cdn.kqed.org/wp-content/uploads/sites/10/2025/04/CPPA-Letter.pdf.
[9] Id.
[10] Bjerke, Brandon, et al. Letter to the California Privacy Protection Agency Regarding ADMT Regulations. 19 Feb. 2025. Privacy World, https://www.privacyworld.blog/wp-content/uploads/sites/41/2025/03/LegRegLetter.pdf.
