Coalition Comment to the CPPA on Rulemaking on Risk Assessment, Cybersecurity, and ADMT

California Privacy Protection Agency
2101 Arena Boulevard
Sacramento, CA 95834

Dear Executive Director Kemp, Agency Staff, and Board Members,

The signed organizations and individuals write to respond to the California Privacy Protection Agency’s May 9, 2025, request for comments on the most recent draft of proposed regulations for the California Consumer Privacy Act (CCPA). We want to acknowledge the hard work of Agency leadership, staff, and board members on these regulations in a difficult and fast-changing policy environment at both the state and federal level. 

That said, we are deeply disappointed at the substantial weakening of the proposed regulations – and at the lack of responsiveness to our coalition of labor and civil society groups, which represent hundreds of thousands of workers and consumers. Our organizations have invested significant time over the past two years analyzing draft regulations, gathering evidence from workers and consumers, summarizing academic research, writing responses, and giving public comments at board meetings, all with limited resources. 

None of the recommendations in our January 9, 2025, letter were adopted. The principles we articulated in our February 26, 2024, letter are absent from this current draft. Instead, each iteration of the proposed regulations has conceded more and more to concerns of the business community and the tech sector. And the most recent draft, after what we understand to be an intense campaign to influence the direction of the regulations, does the most damage to workers’ and consumers’ rights.

As a result, it is our assessment that the current proposed ADMT (automated decisionmaking technology) and Risk Assessment regulations do not provide the protections that consumers and workers deserve under the CCPA and that the law itself clearly intended.

This is a profound lost opportunity, especially for workers. The emergence of data-driven technologies represents one of the most important issues that will shape the future of work in California for decades to come, affecting workers’ privacy, wages and working conditions, race and gender equity, right to organize, and autonomy and dignity. By fully covering worker data and workplace technologies in the CCPA regulations, California could give workers a voice over their future. We strongly urge Executive Director Kemp, Agency staff, and board members to reconsider the current trajectory of the proposed regulations.

In what follows, we briefly lift up the main shortcomings of the revised proposed regulations. We do not duplicate here the recommendations and cited research provided in our January 9, 2025, letter, all of which remain fully relevant.

1. Definitional changes leave large swaths of workers and consumers unprotected by the proposed regulations.

The revised definitions of ADMTs and “significant decision” narrow the scope of regulation to such a degree as to render them meaningless to many Californians. 

For workers in particular, the narrowing of scope to only automating uses of ADMT creates a large opening for companies to side-step the accountability that the CPPA was charged to develop through its regulations. Essentially, an employer can self-certify itself out of coverage under the CCPA by simply deciding that a given automated system does not “replace” or “substantially replace” human decisionmaking. Given the current definition, even a modicum of human involvement would put the use of an ADMT out of regulatory scope. Meanwhile, the employer could be drawing on the system to make highly consequential decisions regarding the terms and conditions of employment for its workers. But because under the proposed regulations, no one needs to be alerted that the employer is using the tool at all, neither workers nor the Agency would be able to challenge the company’s unilateral assessment of the automated system’s role in its decision-making process.

In short, the extreme narrowing of the ADMT definition creates a self-regulation regime for employers hoping to escape oversight. To be clear, this was already a problem in earlier drafts of the proposed regulations. With this latest narrowing, workers are effectively dropped from protection by any ADMT provisions in the proposed regulations.

Also detrimental are the changes to the definition of “significant decision.” For example, employer decisions about the “allocation or assignment of work” for independent contractors will no longer be covered, even as misclassified independent contractors are subject to constant data collection and algorithmic management (like robo-firings) by gig platforms. The use of worker data to train ADMTs will also no longer be covered by the proposed ADMT regulations, even as this is one of the main scenarios where workplace technology products can have significant negative impacts on workers (such as deskilling and job loss). Finally, the specific use of physical or biological identification or profiling to make significant decisions is also no longer covered under the ADMT regulations, even as these often error- and bias-prone systems are increasingly marketed for workplace applications.

At the May 1, 2025, meeting of the CPPA board, Agency staff provided preliminary economic updates based upon the modified regulations. In particular, staff estimated that as a result of the narrowing of the above two definitions, only 10% of firms covered by the CCPA would be subject to the ADMT regulations. Note that this means even fewer than 10% of the firms’ workers would be protected by the ADMT regulations, since not all workers at a given firm are likely to be subject to all ADMTs in use at the firm. This assessment also demonstrates that the agency views the revised regulations as substantially narrowing the scope of the proposed regulations.

2. The revised notice and data access regime will not work for workers and consumers. 

One of the hallmarks of the CCPA is that it recognizes the importance of transparency and disclosure in order for consumers and workers to make informed decisions about their data privacy. But currently, the biggest obstacle to ensuring responsible use of data-driven technologies in the workplace is that they are largely hidden from both policymakers and workers.

Especially in the workplace, achieving transparency and disclosure requires both pre-use notice and use-notice. Workers need to know which data collection and ADMT systems are being used in the workplace, and they need to know when one of those systems has actually been used to make a significant decision about them. Without the latter use-notice, a fast food worker, for example, won’t know that an algorithm was used to fire them – and without that knowledge, they won’t be able to exercise their right to access data about that decision. 

Unfortunately, the revised regulations delete the use-notice requirement when an ADMT was used to make an adverse decision – in the case of workers, having their compensation decreased or being suspended, demoted, or terminated. 

Essentially, it means that a worker or consumer must somehow magically divine that an adverse decision was made about them using an ADMT, in order to know that they should request details about that use. This is a critical loss in the proposed regulations, since data access is the first step in Californians’ ability to identify and challenge errors and unfair treatment. And even if a worker does request more information about a firing decision, for example, the current ADMT regulations no longer require the employer to share the actual output that was used in making that decision – rendering the ADMT access provisions a hollow promise. 

3. The revised ADMT opt-out provisions have become even more inaccessible to workers.

In our January 9, 2025, letter, we explained in detail how the draft regulations at that time effectively eliminated the ability of workers to protect themselves by opting out of consequential ADMT systems because a series of broad exemptions would allow employers to easily escape coverage. Revisions in the current regulations only serve to further exacerbate the problem by removing the few barriers that existed to employers claiming the exemptions. 

As a result, an employer can simply pronounce that it is using a given ADMT solely ​​for work allocation and assignment or compensation and that the ADMT does not discriminate. It is hard to imagine scenarios where an employer would not avail itself of this exemption. (Previously, the employer was required to first conduct an evaluation of the ADMT and to implement accuracy and nondiscrimination safeguards). 

4. The Risk Assessment requirements have become weak tools for identifying and addressing ADMT harms. 

Early drafts of the proposed regulations began to lay out an important set of procedures for providing notice of risk assessments of data collection and ADMT systems. In the workplace context, conducting risk assessments prior to implementation has the potential to be a critical tool to ensure transparency and identify negative impacts; it is not fair to workers to wait until invasions of privacy and other harms have already occurred to begin regulatory oversight. That is why in our January 9, 2025, letter, we laid out a set of recommended improvements to ensure full transparency and accountability to workers in the employers’ use of these systems.

Instead, the current revised regulations only serve to dilute the utility of risk assessments. For example, the ADMT risk assessment provisions no longer require businesses to: document whether they evaluated a given ADMT to ensure it works and does not discriminate; disclose the criteria they used to identify negative impacts to consumer privacy; and identify how their safeguards address any negative impacts identified in the risk assessment. Moreover, businesses no longer have to submit an abridged version of the risk assessment to the Agency. And perhaps most important, a critical provision in previous drafts, stating that businesses must not process personal information for use by an ADMT if the risks to consumers’ privacy outweigh the benefits, was eliminated.

5. In sum, the revised regulations fail to meet the spirit and substance of the rulemaking charge that was given to the CPPA by voters, particularly in the area of automated decisionmaking technology. 

In passing Prop 24 and in survey after survey, Californians have been very clear that they want the collection and use of their personal information fully protected—and that includes future-proofing the CCPA by developing regulations around cybersecurity, harm identification and mitigation, and algorithmic systems. What’s at stake are highly consequential decisions impacting access and equity in our communities and our workplaces. 

In our assessment, however, the current draft of the regulations falls short of the intent of voters and the directives of the CCPA itself. For example, the law requires, and Californians are entitled to expect, that risk assessments include the company’s actual weighing of risks and benefits, and that the regulatory “goal” is “restricting or prohibiting” such processing if the specified risks outweigh the benefits. It is not enough to simply list various risks and benefits and assert that the risks are outweighed. Further, the definition of ADMT, which by statute must include instances where people’s behavior and performance at work are predicted, falls short of that proper scope. ADMTs are one of the main ways that businesses use consumer and worker data, and so the numerous deletions and weakening of ADMT provisions in the revised regulations are especially harmful.

More generally, we do not believe that the draft regulations currently meet the broad goals of the CCPA, which are to ensure that consumers and workers have the information necessary “to exercise meaningful control” of businesses’ use of their data and have “meaningful options” over how that data is collected, used, and disclosed.

At a moment when we are witnessing a multi-front assault on the very idea that civil society has the right to govern new technologies, California should model the development of regulations that support the development and deployment of responsible AI for consumers and workers. The CPPA should complete its rulemaking by issuing rules that can form the foundation for an innovative, safe, and equitable future, free from undue influence and fully responding to the charge given by voters.

Sincerely,

Organizations:

American Civil Liberties Union California Action
American Federation of Musicians Local 7
Athena Coalition
AWU – CWA Local 9009
California Employment Lawyers Association
California Federation of Labor Unions, AFL-CIO
California Immigrant Policy Center
California Nurses Association
California Teachers Association
Center for Inclusive Change
Communications Workers of America Union (CWA)
Communications Workers of America District 9
Consumer Federation of California
Data & Society
Economic Security California Action
Electronic Frontier Foundation
Electronic Privacy Information Center (EPIC)
Gig Workers Rising
International Cinematographers Guild, Local 600 IATSE
Los Angeles Alliance for a New Economy (LAANE)
Media Alliance
National Domestic Workers Alliance
National Employment Law Project
National Union of Healthcare Workers
San Francisco Labor Council
SEIU California
Surveillance Technology Oversight Project
Teamsters California
Tech Oversight California
TechEquity Action
TechTonic Justice
The Collaborative Research Center for Resilience
UC Berkeley Labor Center
UDW/AFSCME Local 3930
UFCW Western States Council
United for Respect
Upturn
Warehouse Worker Resource Center
Working Partnerships USA
Worksafe
Writers Guild of America West

Individuals (affiliations listed for identification purposes only):

Rosemary Batt (Cornell University)
Chris Benner (University of California, Santa Cruz)
Kate Bronfenbrenner (Cornell ILR Global Labor and Work)
Ileen DeVault (Cornell University)
Veena Dubal (University of California, Irvine)
Sayuri Falconer (UCSF)
Shannon Gleeson (Cornell University School of Individual and Labor Relations and Brooks School of Public Policy)
Adam Seth Litwin (Cornell University)
Seema N. Patel (UC College of the Law San Francisco (UC Law SF) [formerly UC Hastings])
Dan Raile (The Worker Agency)
Chris Tilly (University of California Los Angeles)