New California Regulations Will Do More Harm than Good to Businesses and Consumers 

The CPPA (California Privacy Protection Agency), was established in 2020 by ballot measure in order to enforce the CPRA (California Privacy Rights Act), which amended the CCPA (California Consumer Privacy Act). This tongue twisting number of similar sounding acronyms unfortunately represents a larger problem with the data regulations these acts establish: they’re complicated, confusing, and difficult. 

Businesses often do use data in ways that are less than ideal, and addressing privacy concerns regarding data collection can be an admirable goal if done right. However, the CPPA’s proposed method, which is under consideration by regulators this month, would introduce a variety of onerous new compliance burdens on businesses who can’t afford it, while simultaneously exceeding the mandate voters gave the agency when they passed the ballot measure in 2020. 

The new regulations are 109 pages and replete with technical jargon. Interpretation of the rules and bringing a company into full compliance requires a significant amount of legal expertise and time, two things that cost a lot of money. Moreover, a 109-page document full of legalese is always subject to potential misunderstandings that can lead to major fines, and thus more lost money for companies of all types who would be subject to these regulations.  

To make matters worse, California is already losing tech companies that have provided billions in economic activity and tax revenue, in part due to its ever-increasing regulatory state. The CPPA’s proposed revisions, which target tech companies explicitly, double down on a regulatory climate that is already quite hostile to Silicon Valley. 

The CPPA’s revisions would also crack down on new AI integration by companies including banks, who are actively deploying AI to combat financial crimes. Introducing new blanket regulations that limit the use of automated technologies on consumer data could inadvertently lead to more financial crime by unnecessarily tying companies’ hands. Moreover, regulating automated systems, without comprehensive legislation and this early on in their development, could risk chilling innovation.  

There is no need for California agencies to unilaterally act on regulating data collection and AI. Several federal organizations and other states already have regulations in place or are currently considering them. With so much federal action already in the works, increasing the number of rules at best makes them redundant and, at worst, creates contradictory landscapes where compliance with one regulation violates another, either on the national level or in other states. 

Within the two five hundred page documents detailing the many comments that different companies and organizations have made to the CPPA following their announcement – the vast majority of which are opposed to the new regulations, – there are many more strong arguments for caution.  

Hammering businesses with obscure rules that obstruct the use of everyday systems and technologies is not what California voters thought they’d be getting when they supported the ballot measure in 2020. The rules under consideration have little to do with its original purpose: limiting businesses from sharing personal data, providing ways for consumers to give feedback on the incorrect use of their data, and giving consumers power over the use of sensitive information. Lawmakers should strongly consider throwing out these regulations during this week’s hearing.