The Computer & Communications Industry Association (CCIA) has submitted comments regarding the California Privacy Protection Agency's (CPPA) proposed rule changes under the California Consumer Privacy Act. The updates focus on risk assessments, artificial intelligence tools, and automated decision-making technologies.
While CCIA supports strong consumer privacy protections, it expressed concerns that the draft rules might impose unnecessary burdens on California businesses and create confusion for consumers without offering significant additional privacy benefits. The association provided targeted recommendations to clarify the rules and reduce regulatory duplication, especially where federal or other state-level privacy laws already provide protections.
CCIA highlighted issues with overly broad definitions of "automated decision-making technology" and "significant decisions," which could limit the use of common technologies like firewalls and fraud prevention tools that do not make determinations about individuals. It also raised concerns about rigid notice and opt-out requirements, as well as an inflexible checklist-style approach to risk assessments that may not align with best practices in data protection.
Jesse Lieberfeld, CCIA Policy Counsel, stated: “Californians expect meaningful privacy safeguards, but they also deserve rules that are clear, focused, and effective. These proposals risk creating more confusion than clarity for consumers and more red tape than necessary for businesses. We urge the CPPA to refine the rules in ways that protect user privacy while preserving the ability of companies to innovate and provide secure, trusted services.”