ICLE Comments to CPPA on ADMT Regulations
I. Introduction
We thank the California Privacy Protection Agency (“CPPA”) for the opportunity to comment on the proposed regulations for automated decisionmaking technologies (“ADMT”). These comments focus on the significant risks posed by the CPPA’s expansive approach to ADMT regulation, which would impose substantial compliance burdens, while potentially stifling innovation in artificial intelligence (“AI”). We respectfully suggest that the CPPA adopt a more targeted framework that focuses on marginal risks posed by truly consequential uses of ADMT, while allowing beneficial low-risk applications to continue to drive economic growth and technological advancement.
U.S. AI regulation is evolving at an unprecedented pace. In 2024 alone, 45 states, Puerto Rico, the U.S. Virgin Islands, and the District of Columbia all introduced AI-related bills, reflecting the fragmented and fluid nature of AI rules across U.S. jurisdictions.[1] This patchwork of state-level efforts underscores the significant variation in focus, with some laws targeting “high-risk” AI systems, others addressing algorithmic discrimination, and others still emphasizing consumer transparency and governance frameworks.
This rapid introduction of new measures has served to create substantial uncertainty for businesses in the emerging AI-services sector, particularly those that operate nationally. The CPPA’s draft regulations risk exacerbating this issue by imposing a broad and inflexible framework at a time when ADMT and other AI technologies and governance models are still taking shape. A sweeping, one-size-fits-all approach could quickly become outdated, hindering innovation and California’s leadership as a technology hub. A more agile and incremental strategy would allow California to adapt alongside the evolving landscape, rather than lock in rules that may fail to account for future developments in AI capabilities and risks.
A better approach to responsible ADMT regulation would be incremental and sector-specific.[2] Such an approach was advocated by the congressional Bipartisan Artificial Intelligence Task Force, which recommended identifying novel issues and addressing AI challenges within specific sectors by using existing regulatory frameworks where feasible.[3] By leveraging sector-specific expertise and regulatory structures, policymakers can craft targeted solutions that promote innovation while safeguarding against risks.[4]
A sectoral approach recognizes that ADMT and AI applications vary significantly across industries, with different risk profiles and operational contexts requiring tailored oversight. For instance, AI used in health-care diagnostics requires different safeguards than AI used for retail inventory management or marketing analytics. Financial services AI applications may need specific controls around fairness and transparency in lending decisions, while manufacturing AI might prioritize safety and reliability metrics. By working within existing industry-specific regulatory frameworks and expertise, a sectoral approach can more effectively address genuine risks, while preserving beneficial innovation.
This targeted approach would almost certainly be more effective than one-size-fits-all regulation. The National Telecommunications and Information Administration (NTIA) under former President Joe Biden and other key stakeholders have likewise endorsed sector-specific approaches, which can more easily avoid imposing inappropriate requirements across dissimilar use cases. By contrast, the CPPA’s approach risks creating requirements that are simultaneously too stringent for low-risk applications and insufficiently stringent for truly high-risk uses.
Adopting an incremental approach would also allow policymakers to address genuine ADMT and AI-related risks as they emerge without stifling progress. In contrast, the CPPA’s current draft regulations risk establishing a rigid framework that could place particularly undue burdens on small businesses and startups that may increasingly depend on AI tools to maintain their competitive edge and productivity. In a moment when this policy field remains fluid, California has an opportunity to lead by example, by championing innovation while addressing harms through a measured and iterative regulatory framework.
The remainder of these comments will address some specific concerns and suggest paths forward.
II. Core Concerns with the CPPA Draft
A. Overly Broad Scope and Definitions
The draft regulations introduce several problematically broad definitions that could sweep a vast range of technologies and business practices into their ambit. The definition of “AI” includes any “machine-based system that infers, from the input it receives, how to generate outputs that can influence physical or virtual environments.”[5] Even more concerning, the definition of “automated decision-making technology” includes not just those systems that make or replace human decisions, but also any technology that “substantially facilitates human decision-making.”[6]
This vague standard is expanded further to include any use of such technology’s output as a “key factor in a human’s decision-making.”[7] The regulations compound this scope with a broad definition of “behavioral advertising,” which would include any targeting based on consumer activity, both across and within a business’s own services.[8]
These overlapping and expansive definitions create significant interpretive challenges. For example, even basic spreadsheet analyses that inform business decisions could qualify as ADMT if they are deemed to “substantially facilitate” those decisions. Similarly, the broad scope of “behavioral advertising” could mean that simply remembering a customer’s preferences on a business’s own website triggers broad regulatory obligations. When combined with the regulations’ extensive compliance requirements, these definitions threaten to capture routine business operations far beyond what might be necessary to protect consumer privacy.
The CPPA’s proposed expansive definition of ADMT would also capture a broad array of routine AI applications, including customer profiling, behavioral advertising, and operational-efficiency tools.[9] While the intent to protect consumers is clear, this overly broad definition fails to account for the heterogeneity of AI systems and the nuanced ways they may function across industries. This risks imposing premature and disproportionate obligations on businesses and stifling innovation at a time when AI development remains in its infancy.
Indeed, despite the marketing hype, AI is not a single monolithic technology, but rather a diverse collection of tools deployed across different layers of an “AI stack.”[10] Treating all forms of AI—whether low-risk tools like chatbots or high-impact systems like automated credit decisions—as equivalent under a single regulatory framework would be both analytically unsound and practically counterproductive. The CPPA proposal fails to distinguish between consequential decisions with a direct impact on consumer rights and routine, low-risk AI applications that may help to improve business efficiency or customers’ experience.[11]
This overreach creates significant uncertainty for businesses, particularly small and mid-sized firms. Many of these firms are beginning to rely on AI tools for operational efficiency, marketing, and customer service, and the costs of compliance under such a sweeping definition would be prohibitive. To date, AI adoption by small businesses has proven transformative, improving profitability, reducing operational burdens, and enabling competitiveness against larger firms.[12] Subjecting these businesses to ambiguous and burdensome regulatory requirements will disproportionately harm their ability to innovate and adopt new technologies.
AI’s productivity benefits are particularly important for workers with fewer skills or resources, as it automates tasks, enhances lower-skilled workers’ output, and increases efficiency.[13] Regulations that fail to differentiate among AI systems based on their risk levels or use cases may inadvertently discourage the adoption of AI technologies across the board, ultimately hindering the productivity and growth of small businesses. This is especially concerning, given that many of these firms lack the legal and financial resources to navigate compliance with overly broad regulations.
Some models for AI governance provide a more nuanced approach by focusing on marginal risks, rather than imposing broad, preemptive restrictions. For instance, the Biden administration’s NTIA recommended evaluating the “marginal risks” introduced by specific AI systems relative to existing alternatives, focusing on empirically demonstrable harms rather than speculative risks.[14] This framework seeks to assess the incremental risks and benefits that AI technologies may pose in specific contexts, thereby ensuring that only systems with significant and observable harmful effects would face heightened scrutiny. Unlike the CPPA’s sweeping definition of ADMT, the NTIA’s approach provides a structured, evidence-based pathway to understand AI risks without stifling innovation.
Moreover, broadly defining AI and ADMT could lead to unintended consequences for competition and innovation. As noted above, the heterogeneity of AI services and markets makes any attempt to regulate “AI” as a singular entity analytically untenable.[15] The rigidity of the CPPA’s current proposal could discourage investment in AI development and adoption within the state, pushing innovation to other jurisdictions with clearer, risk-adjusted regulatory environments.[16] Indeed, we have already seen a similar flight to more flexible jurisdictions in response to the EU’s AI Act.[17]
Ultimately, the CPPA draft’s overly broad definition of ADMT is premature. Policymakers should adopt a narrower, risk-based framework focusing on truly consequential uses of ADMT (which may or may not involve AI), while allowing routine and low-risk applications to continue delivering economic and societal benefits. A more targeted approach would align California’s efforts with evolving federal and global frameworks, while preserving the state’s position as a leader in AI development and innovation.
B. Legal and Jurisdictional Concerns
The CPPA’s expansive proposed regulations raise serious questions about their alignment with the original intent of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).[18] These laws were designed to give consumers greater control over their personal data and to safeguard their privacy in an era of rapid technological change. The draft regulations on ADMT, however, appear to exceed this mandate by broadening the scope to include virtually any AI-driven system, irrespective of its risk profile or actual impact on consumer rights.
This approach contrasts sharply with more targeted regulatory frameworks. For example, as noted above,[19] the NTIA’s marginal-risk framework focuses on assessing AI systems’ incremental risks and benefits, ensuring that only applications with significant observable negative effects face heightened scrutiny.[20] In contrast, the CPPA draft fails to distinguish between high-stakes systems and routine, low-risk applications like customer profiling and advertising optimization.[21]
Apart from the direct effects of the CPPA’s approach on consumers and businesses, its conflicts with emerging frameworks that favor sectoral regulation over comprehensive rules and will lead to other headaches for U.S. firms. While federal agencies and legislators are moving toward targeted, industry-specific approaches that account for differing risk profiles and use cases,[22] the CPPA’s regulations would impose broad requirements across all sectors. This creates practical compliance challenges for businesses that must navigate both federal and state requirements, and leads to potential federal preemption issues. For example, a business developing AI tools for health care might need to comply with sector-specific guidelines from the U.S. Food and Drug Administration (FDA), while simultaneously meeting California’s sweeping ADMT requirements. The potential for contradictory obligations or duplicative compliance burdens is significant.
C. Disproportionate Impact on Business Innovation
1. Impact on small businesses
Small businesses form the backbone of California’s economy, and their ability to compete increasingly depends on AI tools. AI technologies already play a critical role in helping small businesses to remain efficient and competitive in a fast-moving digital marketplace. Surveys suggest that 95% of small businesses already use at least one technology platform to streamline their operations, with nearly a quarter adopting AI to improve marketing, customer communications, and overall business performance.[23] For these businesses, AI adoption has led to measurable increases in profit margins, sales, and operational efficiency.[24]
AI tools can help to level the playing field by providing affordable and scalable solutions. AI-powered platforms can help small businesses to better understand customer behavior, optimize advertising strategies, and reach new audiences. AI-driven tools for inventory management, payroll, and customer-relationship management can enhance operational efficiency, allowing business owners to focus on growth rather than administrative burdens.[25]
The CPPA’s broad regulations, however, risk undermining these gains by subjecting routine AI tools to onerous compliance requirements. Unlike large corporations with dedicated legal teams, small businesses often lack the resources to navigate complex regulatory frameworks. The cost of compliance could become a barrier to adopting AI technologies, particularly given that AI tools provide the greatest productivity benefits to more modestly resourced workers and businesses.[26] This regulatory burden would not only stifle innovation but could also exacerbate existing challenges that small businesses already face, such as inflation and workforce shortages.[27]
2. Disruption to the digital-advertising ecosystem
The regulations particularly threaten the digital-advertising ecosystem by conflating behavioral advertising with consequential decisionmaking systems. While behavioral advertising uses AI-driven analysis, such systems do not make decisions about individuals and therefore operate in a fundamentally different way from the high-stakes systems used for credit approvals or employment decisions. Treating these tools as equivalent would impose an inappropriate framework on an industry vital to the digital economy.
Further, behavioral advertising underwrites many free online services that consumers rely on daily. The CPPA’s overly broad definition could force advertising platforms and smaller advertisers to abandon targeted advertising strategies, threatening ad-supported business models and reducing access to free digital services. Such regulatory overreach would have a chilling effect, as prescriptive and expansive rules often stifle innovation by discouraging investment in those areas where the regulatory landscape is most uncertain or unduly burdensome.[28]
Moreover, the proposed regulations fail to recognize that behavioral advertising primarily involves optimizing ad delivery based on anonymized data, rather than making binding decisions with significant effects on consumers’ lives. These are typically low-risk, reversible decisions ill-suited for a regulatory framework designed to mitigate the potential harms of high-risk AI systems. Small businesses, in particular, stand to lose the most from these regulations, as many rely on targeted advertising to reach niche markets in a cost-effective manner.
3. Broader economic consequences
The CPPA’s proposed regulations carry significant risks for innovation and U.S. technological competitiveness, with California standing to lose the most. The state is uniquely positioned as a nexus of AI innovation, hosting the world’s leading AI research institutions, most of the top AI companies, and a dense network of AI startups and talent. This ecosystem has made California the primary locus of U.S. leadership in AI. Stringent state-level AI regulations, however, could undermine this position by creating a fractured regulatory landscape that increases costs and reduces investment in the sector.[29] California-based companies would face a difficult choice: either accept higher compliance burdens than their global competitors, or relocate key operations to more business-friendly jurisdictions.
The stakes are particularly high given the intense global competition in AI development. Other regions are actively working to attract AI companies and talent.[30] While California’s existing ecosystem provides significant advantages, regulatory costs can shift the calculus for both established companies and startups alike. Development teams might relocate to states with clearer regulatory frameworks, while investors might redirect capital to jurisdictions where compliance burdens are more predictable. This regulatory arbitrage could gradually erode California’s advantage as the world’s preeminent AI hub.
The regulations could have a particularly severe adverse impact on AI research and development. California’s research institutions and companies are at the forefront of developing cutting-edge AI applications like large language models (LLMs), generative-AI tools, and advanced-automation systems. These innovations require extensive experimentation and rapid iteration to achieve technological breakthroughs. The CPPA’s broad definition of ADMT could be interpreted to cover many of these research and development activities, creating uncertainty about compliance obligations during the development process. This ambiguity could force researchers and developers to slow their progress significantly or implement burdensome compliance processes even during early experimental phases.
The implications extend beyond individual research projects to the broader AI-development ecosystem. Researchers might avoid pursuing promising lines of inquiry where the regulatory implications are unclear. Companies might relocate their R&D operations to jurisdictions with clearer frameworks for AI development. Even routine product improvements and testing could face delays and added costs as businesses navigate the new compliance requirements.
The measurable impact of such overregulation is well-documented. Excessive regulation consistently reduces innovation by increasing costs and discouraging risk taking by entrepreneurs and businesses alike.[31]
III. Conclusion
The CPPA’s draft regulations on ADMT require significant refinement to achieve a better balance of consumer protection with innovation and economic competitiveness. A targeted approach focused on “consequential decisions” would align with effective practices, while equipping the CPPA the tools to protect consumers. This narrower scope would also reduce compliance burdens for routine, low-risk AI applications while maintaining oversight where it matters most.
An incremental, evidence-based approach should guide California’s regulatory framework. Overregulation can stifle innovation and create barriers for startups, who are critical to the AI ecosystem.[32] The CPPA can ensure its rules evolve with the rapidly changing AI landscape by avoiding premature codification of broad mandates that could quickly prove obsolete.
Broader governance of AI systems should take account of the need for a holistic, nationwide framework.[33] A fragmented patchwork of state-level regulations will create compliance challenges for businesses operating across jurisdictions, thereby reducing investment and deterring innovation.[34] By harmonizing with emerging federal policies—or deferring broad regulations until the federal consensus is clearer—California can provide clarity to AI developers while maintaining appropriate consumer protections.
A sectoral approach would enable more effective and efficient oversight. The diverse industries that employ AI services face distinct challenges: financial services must prioritize algorithmic fairness, health-care applications must emphasize privacy and accuracy, and retail applications might focus on improved customer service. By working within existing regulatory frameworks, the CPPA could better calibrate requirements to actual risks and operational realities. This would allow for nuanced oversight of high-risk applications, while avoiding laying unnecessary burdens on beneficial, low-risk AI tools.
California’s unique position as the world’s leading AI-development hub means it has the most to gain from getting these regulations right. The state can maintain its leadership position while protecting consumers by adopting targeted regulations that address genuine risks, and without creating unnecessary barriers to innovation. By narrowing the focus of ADMT regulations, adopting an incremental strategy, and prioritizing harmonization with federal initiatives, California can strike the right balance between safeguarding consumer rights and fostering a thriving, competitive AI ecosystem.
[1] See Tatiana Rice et al., U.S. State AI Legislation, Future Priv. Forum (2024), at 3, available at https://fpf.org/wp-content/uploads/2024/09/FINAL-State-AI-Legislation-Report-webpage.pdf; Artificial Intelligence 2024 Legislation, Nat’l. Conf. State Legis. (Sep. 9, 2024), https://www.0.ncsl.org/technology-and-communication/artificial-intelligence-2024-legislation.
[2] See Jay Obernolte & Ted W. Lieu, Report of the Bipartisan House Task Force Report on Artificial Intelligence (Dec. 2024), vi-vii, 85, available at https://republicans-science.house.gov/_cache/files/a/a/aa2ee12f-8f0c-46a3-8ff8-8e4215d6a72b/E4AF21104CB138F3127D8FF7EA71A393.ai-task-force-report-final.pdf.
[3] Id. at 6, 30.
[4] Id. at 7, 17.
[5] Proposed Regulations § 7001 (c), Calif. Priv. Prot. Agency (2024), available at https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_ins_text.pdf.
[6] Id. § 7001(f).
[7] Id.
[8] CPPA, supra note 5, § 7001(g).
[9] CPPA, supra note 5, § 7001(m) (6).
[10] See Lazar Radic & Kristian Stout, What Is the Relevant Product Market in AI?, Concurrences (Aug. 16, 2024), at 109, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4927505.
[11] Id. at 110.
[12] See Empowering Small Business: The Impact of Technology on U.S. Small Business, U.S. Chamb. Commer. Tech. Engagem. Ctr. (Sep. 14, 2023), at 3, available at https://www.uschamber.com/assets/documents/The-Impact-of-Technology-on-Small-Business-Report-2023-Edition.pdf; Open Source AI is Leading to Breakthroughs in Healthcare, Education, and Entrepreneurship, Meta (Dec. 11, 2024), https://about.fb.com/news/2024/12/open-source-ai-is-leading-to-breakthroughs-in-healthcare-education-and-entrepreneurship.
[13] See Julian Jacobs, Evidence Shows Productivity Benefits of AI, Center for Data Innovation, Cent. Data Innov. (Jun. 11, 2024), https://datainnovation.org/2024/06/evidence-shows-productivity-benefits-of-ai.
[14] See Kristian Stout et al., NIST AI 800-I, Managing Misuse Risk for Dual-Use Foundation Models, Int’l Ctr. L. & Econ. (2024), at 8-13, available at https://laweconcenter.org/wp-content/uploads/2024/09/NIST-AI-comments-final.pdf.
[15] See Radic & Stout, supra note 10, at 108, 113, 131.
[16] See Rachel Curry, How AI Regulation in California, Colorado and Beyond Could Threaten U.S. Tech Dominance, CNBC (Nov. 21, 2024), https://www.cnbc.com/2024/11/21/how-ai-laws-in-california-states-threaten-us-tech-dominance.html.
[17] Pascale Davies, Why OpenAI’s Voice Mode, Meta’s Llama and Apple’s AI Won’t be Coming to Europe Yet, Euronews (Aug. 10, 2024), https://www.euronews.com/next/2024/10/08/why-openais-voice-mode-metas-llama-and-apples-ai-wont-be-coming-to-europe-yet.
[18] See Kayla N Bushey, One Size Dose Not Fit All: How the California Privacy Rights Act Will Not Improve Employee Data Collection and Privacy Rights, 32(1) Cath. U. J.L. & Tech. (2023), https://scholarship.law.edu/jlt/vol32/iss1/8; California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.; Maria Korolov, California Consumer Privacy Act (CCPA): What You Need to Know to be Compliant, CSO (Jul. 7, 2020), https://www.csoonline.com/article/565923/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html.
[19] Stout, supra note 14.
[20] Stout, supra note 14 at 9.
[21] See Sebastião Barros Vale & Gabriela Zanfir-Fortuna, Automated Decision-Making Under the GDPR: Practical Cases from Courts and Data Protection Authorities, (May 2022), at 21, https://fpf.org/wp-content/uploads/2022/05/FPF-ADM-Report-R2-singles.pdf; Draft Risk Assessment and Automated Decisionmaking Technology Regulations, Calif. Priv. Prot. Agency (2024), at 3-4, available at https://cppa.ca.gov/meetings/materials/20240308_item4_draft_risk.pdf.
[22] Kristian Stout, The AI Legislative Puzzle, Truth Mark. (Nov. 7, 2024), https://truthonthemarket.com/2024/11/07/the-ai-legislative-puzzle; Stout, supra note 14 at 8; Obernolte & Lieu, supra note 2 at 17, 21, 70.
[23] U.S. Chamber, supra note 12 at 3, 4.
[24] Id. at 2, 23.
[25] Id. at 5.
[26] Jacobs, supra note 13.
[27] U.S. Chamber, supra note 12 at 2, 15.
[28] See Michael Genest et al., Comments on August 2024 CPPA SRIA, Capitol Matrix Consult. (Nov. 1, 2024), available at https://advocacy.calchamber.com/wp-content/uploads/2024/11/CMC_comments_on_CCPA_SRIA_11-1.pdf; California Consumer Privacy Act, Interact. Advert. Bur., https://www.iab.com/topics/privacy/ccpa (last visited Dec. 27, 2024); Betsy Vereckey, Does Regulation Hurt Innovation? This Study Says Yes, MIT Sloan Sch. Manag. (Jun. 7, 2023), https://mitsloan.mit.edu/ideas-made-to-matter/does-regulation-hurt-innovation-study-says-yes.
[29] See Chris Edwards, Entrepreneurs and Regulations: Removing State and Local Barriers to New Businesses, Cato Inst. (May 5, 2021), https://www.cato.org/policy-analysis/entrepreneurs-regulations-removing-state-local-barriers-new-businesses; Curry, supra note 16; U.S. Chamber, supra note 12.
[30] See UAE Establishes Global Leadership in Artificial Intelligence, High-Tech Innovation, Emir. News Agency (Sep. 28, 2024), https://www.wam.ae/en/article/b5exntj-uae-establishes-global-leadership-artificial; The U.A.E.’s Big Bet on Artificial Intelligence, U.S.-UAE Bus. Counc. (Feb. 2024), available at https://usuaebusiness.org/wp-content/uploads/2024/02/SectorUpdate_AIReport_Web.pdf.
[31] See Philippe Aghion et al., The Impact of Regulation on Innovation (Nat’l Bureau of Econ. Rsch. Working Paper No. 28381, 2021), https://www.nber.org/papers/w28381.
[32] Id.
[33] See, e.g., Stout, supra note 14 at 3; Vale & Zanfir-Fortuna, supra note 21.
[34] See Chinmayi Sharma & Alan Z. Rozenshtein, Regulatory Approaches to AI Liability, Lawfare (Sep. 24, 2024), https://www.lawfaremedia.org/article/regulatory-approaches-to-ai-liability.