EPIC Commends CPPA on Strong Proposed Regulations on Cybersecurity, Risk Assessments, and ADMT

EPIC, along with the Consumer Federation of America (CFA), submitted comments to the California Privacy Protection Agency (CPPA) on the Proposed Rulemaking Regarding Cybersecurity, Risk Assessments, and Automated Decisionmaking Technology (ADMT). EPIC previously submitted comments on this proposed rulemaking in March 2023.

The comments commend the Agency for taking steps to protect consumers from the significant privacy harms caused by the use of ADMTs and the processing of personal data without adequate assessment and mitigation of the resulting privacy and security risks.

EPIC and CFA recommend six ways to strengthen the ADMT regulations: strengthening the definition of ADMT by adopting the State Administrative Manual’s definition; retaining consumers’ right to opt out of profiling for behavioral advertising; extending consumers’ right to opt out to the use of their personal data to train generative AI; removing the human appeal exception to the right to opt out of ADMT use; strengthening consumers’ access rights; and construing the security and fraud detection exception narrowly. The comments also include suggestions for increasing public transparency of businesses’ risk assessments and ensuring cybersecurity audits include information about businesses’ data minimization programs.

EPIC Senior Counsel Sara Geoghegan also testified at the CPPA’s public comment hearing to highlight EPIC’s recommendations for strengthening portions of the ADMT and risk assessment regulations.