The Computer & Communications Industry Association (CCIA) is set to testify before the California Privacy Protection Agency regarding concerns over new proposed regulations under the California Consumer Privacy Act (CCPA). The CCIA has voiced support for balanced privacy regulations that protect both consumers and businesses but highlighted two problematic aspects of the proposed rules.

The CCIA pointed out that some provisions related to profiling and automated decision-making technology (ADMT) exceed the intended scope of the CCPA. Unlike other state privacy laws, which limit profiling regulations to significant decisions such as credit approval, housing, and employment, the CCPA imposes broader opt-out rights and risk assessment requirements. These apply even when data already available publicly is used. Such requirements pose operational challenges, especially for small businesses and startups, while adding compliance burdens that may not enhance consumer privacy protections.

Regarding ADMT requirements under the Act, CCIA expressed concern that businesses are required to conduct risk assessments even for internal model training where no significant consumer-affecting decisions are involved.

Jesse Lieberfeld, CCIA Policy Counsel, stated: “California has an opportunity to set a national standard for privacy protections that work for both consumers and businesses. We urge lawmakers to refine these rules to still allow data to be used for internal model training since that is not impacting consumers or decisions about them."

Lieberfeld added: “While the association supports existing CCPA rules that give consumers control over their data, such as opt-out rights and data correction, the proposed changes go beyond these protections. Instead, they risk stifling innovation and making it harder for businesses to improve technologies through low-risk data processing, without offering meaningful privacy benefits to consumers.”