EPIC Calls Out CPPA as Board Votes to Adopt Weak Risk Assessment, ADMT, and Cybersecurity Regulations 

Today, the California Privacy Protection Agency (CPPA) board voted 5-0 to finalize regulations on cybersecurity, risk assessments, and automated decisionmaking technology (ADMT) that have been in progress since early 2023. 

The agency’s decision to finalize regulations that have been significantly watered down over the past months is disappointing. Initial drafts of the regulations were quite privacy-protective, but after intense lobbying from Big Tech companies and others, the CPPA voted to weaken the rules and remove several key provisions that would have better protected Californians. 

EPIC published a report in June 2025, Assessing the Assessments: Maximizing the Effectiveness of Algorithmic & Privacy Risk Assessments, illustrating how California’s proposed regulations, specifically the risk assessments portion, fell short. The report outlined the significant harms that unregulated data practices and ADMT use inflict on the wellbeing of consumers and workers and explained how the draft regulations, which the CPPA just adopted, fail to ensure that businesses mitigate the significant privacy risks of these technologies. 

As explained in the report and echoed in EPIC’s testimony during today’s hearing by John Davisson, EPIC Litigation Director, “The narrowed definition of ADMT is dangerously underinclusive. Essential transparency and accountability mechanisms have been omitted. The cybersecurity obligations have been watered down. And the risk assessment obligations of businesses have been hollowed out in troubling ways.” 

EPIC has been consistently engaged in the CPPA rulemaking process, submitting comments in March 2023, February 2025, and most recently in June 2025, to urge the agency to adopt strong protections for consumers and workers. EPIC looks forward to continuing engagement with the CPPA to advocate for strong privacy protections for consumers and workers.