CalChamber Comments, Raises Concerns, Calls for Extended Compliance Timeline

Proposed Privacy/Security Rules

By
Ronak Daylami
-

On February 18, the California Chamber of Commerce submitted comments in response to the California Privacy Protection Agency’s (CPPA) request for public input on draft regulations regarding automated decision-making technologies, cybersecurity audits, and privacy risk assessments.

Although the CalChamber supports the stated goal of the CPPA’s draft regulations to protect consumer privacy and security while advancing innovation, the CalChamber pointed out that the draft regulations fall short of the goal and require significant revisions to avoid both overreaching the limits of the statute and detrimental consumer impacts.

Recommendations

Among its recommendations, the CalChamber urged the CPPA to implement revisions to address concerns that the draft regulations and the Standardized Regulatory Impact Assessment (SRIA):

  • Overreach the CPPA’s statutory authority and encroach on the California Legislature and Governor’s ongoing efforts to strike a balance in regulating automated decision-making technologies (ADMT);
  • Conflict with existing statutory rights and exemptions;
  • Depart from established global privacy frameworks and standards;
  • Undercut foundational constitutional protections; and
  • Drastically underestimate the costs that the draft regulations will impose on businesses and the state.

The CalChamber also urged the agency to allow for a full 24 months to come into compliance with the updated regulations and the new articles.

“The cybersecurity audit and risk assessment timelines already recognize a 24-month time frame. Accordingly, the ADMT requirements and the modifications to the existing regulations should also be afforded a 24-month time frame for compliance,” the CalChamber said.

The CalChamber also requested that the CPPA make clear that the regulations apply only to processing activities that occur after the regulations enter into effect.

To read the CalChamber’s submitted comments, click here.

Economic Report

Economists’ Report on Cost Assessment of New Regulations Indicates the Agency Has Drastically Underestimated the Cost to Businesses and Overestimated the Savings to the State

A report released last November by the CalChamber concluded that businesses, consumers, and governments in California will suffer net economic losses, translating into reduced jobs and tax revenues, from the CPPA’s proposed rules.

The report, prepared by Capitol Matrix Consulting (CMC), analyzes anticipated savings detailed in the CPPA Standardized Regulatory Impact Assessment of proposed regulations that would add and change existing rules related to the California Consumer Privacy Act (CCPA) of 2018 as amended by the California Privacy Rights Act (CPRA) of 2020.

The SRIA concludes that the regulations would result in direct costs to California businesses of $3.5 billion in the first full year and average annual costs to businesses over the first 10 years of $1.08 billion and will result in employment losses peaking at 126,000 in 2030. Similarly, it estimates annual state revenue losses reaching $2.8 billion in 2028.

While the SRIA claims long-term benefits will exceed these costs, the report reveals that the purported benefits are based on an arithmetical error and speculative assumptions.

Privacy Agency Understates Costs

Specifically, the CMC report details errors in the SRIA that include:

  • Underestimating external auditor and employee compensation rates paid by businesses;
  • Excluding from its economic analysis out-of-state businesses that sell into California markets; and
  • Ignoring the massive ongoing costs and business productivity losses resulting from behavioral changes by businesses and consumers following adoption of the regulations.

Privacy Agency Overstates Savings

In addition, the SRIA overstates the savings from the proposed regulations by:

  • Grossly overestimating baseline cybercrime losses due to an arithmetical error and other factors, including a flawed approach to estimating future cybercrime losses; and
  • Overestimating savings from audits and risk assessments based on assumptions not supported by the literature, including articles listed in the SRIA.

The CMC analysis warns that there are major implications for California jobs and state budget revenues from the privacy agency’s underestimate of costs and overestimate of benefits of the proposed regulations.

A full copy of the analysis is available here.

Staff Contact: Ronak Daylami

Previous articlePotential Changes Coming to Workplace Violence Prevention Standards
Next articleVictims’ Leave Law Creates New Obligations, Expands Others
Ronak Daylami
Ronak Daylami, an experienced attorney, joined the California Chamber of Commerce in March 2022 as a policy advocate specializing in privacy issues. She came to the CalChamber policy team from Nielsen Merksamer, where she served as senior counsel in the firm’s government law section specializing in privacy issues, state regulation of business practices, consumer protection, and legislative process. Daylami previously worked for nearly 10 years in the Capitol, most recently as the chief consultant of the Assembly Privacy and Consumer Protection Committee, where she provided expertise on privacy, cybersecurity, consumer protection, and deployment of technology by state government, as well as counsel to the committee chairman during the negotiations and passage of the California Consumer Privacy Act. She earned a B.A. in political science and minored in English at the University of California, Berkeley, and a J.D. from University of California, Hastings College of the Law, where she was a senior articles editor for the Constitutional Law Quarterly. See full bio.