FPF Submits Comments to the California Privacy Protection Agency on Proposed Rulemaking

On February 19, the Future of Privacy Forum (FPF) submitted comments to the California Privacy Protection Agency (CPPA) concerning draft regulations governing cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT) access and opt-out rights under the California Consumer Privacy Act.

FPF’s comments identified opportunities to bring additional clarity to key elements of the proposed regulations as well as support interoperability with other US legal frameworks. In particular, FPF recommended that the CPPA—

1. 1. Clarify the “substantially facilitate” standard for in-scope ADMT systems, to provide more certainty for businesses and focus requirements to the highest-risk uses of ADMT;
2. 2. Ensure that carve-outs for narrowly used, low-risk AI systems are appropriately tailored to avoid unintended impacts to socially beneficial technologies and use cases; 
3. 3. Clarify the intended scope of definition “significant decision” to include decisions that result in “access to” the specified goods and services; 
4. 4. Consider whether application of requirements to training ADMT systems that are “capable” of being used for certain purposes, rather than intended or reasonably likely to be used for such purposes, is too broad; 
5. 5. Clarify what it means for an ADMT or AI system to be used for “establishing individual identity”;
6. 6. Clarify that requests to opt-out of having one’s personal information processed to train ADMT or AI systems submitted after processing has begun do not require businesses to retrain models;
7. 7. Consider whether requiring businesses to identify “technology to be used in the processing” in risk assessments is overly broad; 
8. 8. Clarify that, in conducting risk assessments, the benefits from processing activities should be weighed against the risks to individuals’ privacy as mitigated by safeguards; 
9. 9. Consider whether it is appropriate to require board members to certify a business’s cybersecurity audits; and 
10. 10. Provide flexibility to support the delivery of effective and context-appropriate privacy notices, particularly with respect to virtual and augmented reality environments.

FPF’s comments also included a comparison chart highlighting similarities and differences between the CPPA’s proposed risk assessment regulations, data protection assessment regulations pursuant to the Colorado Privacy Act, and data protection impact assessment requirements under the General Data Protection Regulation.