Layton is a visiting fellow for Communication, Media and Information Technologies at the Aalborg University Centre in Denmark and an author. She measures the impact of digital regulatory policies. She lives in San Francisco.
California passed the nation’s toughest data privacy and digital consumer rights law in 2020, but details of how it will be applied and enforced are still being hammered out, especially in regard to AI-powered automated decision making technology. It’s crucial that the decision makers overseeing this effort involve stakeholders in the tech industry — the obvious experts on all things AI — to make sure reasonable regulations are put in place that will protect Californians without stifling technological innovation.
The California Consumer Privacy Act of 2018 is a data privacy law that sets standards for data collection, details the consequences for businesses that fail to protect data and explains the rights California consumers can exercise over their own personal data.
The California Consumer Privacy Act was amended in 2020 by state Proposition 24, which gave consumers more control over their personal data and also established the California Privacy Protection Agency to implement and enforce the agency. One of the major issues facing the California Privacy Protection Agency now is how to deal with the impacts of artificial intelligence technologies, as the power of AI creates new challenges in keeping personal data safe and private.
To help address those challenges, in November 2023, the California Privacy Protection Agency released draft language of automated decision making technology regulations defining new protections for consumers dealing with businesses employing emerging technologies that leverage AI. They include the rights of consumers to opt out of AI-powered automated decision making technology participation and access information about how a company is using the technology.
In the United Kingdom, Parliament is considering the second version of the Data Protection and Digital Information Bill, which would amend the nation’s privacy and electronic communications regulations. As part of the process, lawmakers have tabled for further consideration 124 amendments proposed by various government departments and members of Parliament. Although California legislators should move forward with all reasonable speed on finalizing the California Privacy Protection Agency, they would do well to emulate the deliberate approach underway in the U.K. It is critical that the policies which will protect the private information of California consumers be right — not rushed.
Significant policies such as this never suffer from being developed with thoughtful input from all stakeholders, and there is a demonstrated level of such engagement in this process. The California Privacy Protection Agency’s open engagement policy exists to ensure that the board does not issue regulations without the guidance that can come from public comments. If their actions are not deliberate and thoughtful, that open engagement dictate is just semantics.
Although there is strong disagreement among California Privacy Protection Agency board members about the sweeping scope of the definition of AI-powered automated decision making technology — with significant concerns raised about the unintended consequences of an overly broad definition, lack of coordination with the governor’s office and legislators in Sacramento, and whether the draft regulations exceed the agency’s statutory authority — the board voted 3 to 2 to advance the AI-powered automated decision making technology and risk assessments draft language to formal rulemaking.
Unfortunately, by sheer volume and conflict, California is at a tipping point of creating a spider web of legislation and regulations that with conflicting definitions and policies risk creating such chaos that the state could become the poster child for what not to do, rather than being the thoughtful leader that all other states and other countries expect from our policymakers.
There is still ample opportunity to avoid that outcome. By taking the time to gather and consider relevant input from all stakeholders — especially including AI experts in the tech sector — the California Privacy Protection Agency can finalize commonsense regulations that protect consumer privacy without putting California behind in AI innovation and the competition to attract the new businesses and jobs rapidly springing from this pivotal technology.
