EPIC Urges the CPPA to Reinstate Strong Consumer Protections in Cybersecurity, Risk Assessments, and ADMT Rulemaking

EPIC submitted comments to the California Privacy Protection Agency (CPPA) urging the Agency to restore earlier drafts of the regulations that were more privacy protective rather than adopting the current draft, which has been significantly weakened. 

EPIC has been consistently engaged in the Proposed Rulemaking Regarding Cybersecurity, Risk Assessments, and Automated Decisionmaking Technology (ADMT) rulemaking process, submitting comments in March 2023 and most recently in February 2025. 

The comments express EPIC’s disappointment over the CPPA watering down the previously strong language that would have provided Californians with transparency and accountability mechanisms against the privacy harms caused by unchecked data collection and uses of ADMTs. EPIC urges the CPPA to reinstate stronger provisions from earlier proposals that covered a broader set of ADMTs, imposed substantive risk assessment responsibilities on businesses, and required cybersecurity audits sooner. The comments also address the common arguments proffered by industry to attack the CPPA’s rulemaking. 

EPIC also joined a coalition comment led by the UC Berkeley Labor Center to call on the CPPA to strengthen the worker privacy protections and a coalition comment led by the ACLU of Northern California pointing out the privacy harms that will go unaddressed by the narrowed definitions in the latest proposed language.

We urge the CPPA to remain a leader for privacy, data protection, and AI safeguards and resist Big Tech’s effort to diminish the CPPA’s work in protecting consumer privacy.