It’s spring 2025, and the California Privacy Protection Agency (CPPA) that just fined Honda Motors is wrestling with one of the trickiest puzzles in tech regulation: how to govern automated decision-making technology (ADMT) without stifling innovation. At their meeting a week ago, the CPPA Board took a hard look at their latest draft rules and decided to trim some of the heftier requirements. I’ve been following this saga, and it’s a fascinating tug-of-war between privacy hawks and industry advocates. The changes signal a shift less about heavy-handed control, more about finding a workable balance. Here’s what’s happening and why it matters.
A Lighter Touch on ADMT
The CPPA’s been grinding away at rules to manage how businesses use ADMT think AI systems that decide who gets a loan, a job, or an insurance policy. The original draft was ambitious, casting a wide net over anything that crunched personal data to make choices. But after months of pushback, the board’s easing up. They’ve tweaked the definition of ADMT to focus only on tech that “substantially facilitates” human decisions, not just any tool that lends a hand. It’s a narrower lens, aimed at the big players systems that really call the shots or heavily sway outcomes.
Another big move? They’ve yanked behavioral advertising out of the ADMT and risk assessment mix. That’s a win for digital marketers who feared they’d be bogged down by extra compliance steps for targeting ads based on user habits. The board also shaved down the list of “significant decisions” that trigger stricter rules—like cutting some categories that businesses argued were too broad. These changes aren’t final yet; they’re conditionally greenlit, with a last sign-off coming next meeting.
Why the Pullback?
This isn’t happening in a vacuum. Businesses, trade groups, and even some lawmakers have been vocal really vocal about the rules being a chokehold on AI growth. The CPPA got an earful: over 1,600 pages of written feedback plus hours of public testimony. I talked to a small business owner last week who said the old draft would’ve forced him to hire a full-time compliance officer just to keep his hiring software legal. Multiply that across California’s tech scene, and you see the stakes.
Board member Alastair Mactaggart’s been a loud skeptic, warning that the rules overstep the CPPA’s privacy mandate into full-on AI regulation. He’s got a point—these drafts have been a lightning rod, with threats of lawsuits looming if they pass as-is. But others, like Jennifer Urban, argue that dodging tough rules just because of litigation fears guts the agency’s mission. It’s a classic standoff: protect consumers or keep the economy humming?
Looking West—and to Colorado
Here’s where it gets interesting: the CPPA’s not working alone. They’re eyeing Colorado’s AI Act, set to kick in next February, for clues on syncing up. Colorado’s approach leans on risk assessments too, but it’s less about blanket rules and more about tailoring oversight to specific AI uses. The CPPA board’s asked staff to dig into this, hunting for ways to harmonize without turning California into an outlier. It’s a smart play—nobody wants a jigsaw of state laws tripping up companies that operate coast to coast.
The White House is in the mix too, nudging regulators toward innovation-friendly policies. That vibe’s trickling down, and you can feel it in these revisions. It’s less about locking AI in a cage and more about setting guardrails that let it run—safely.
Steps to Stay Ahead
For businesses, this is a breather, but not a free pass. The rules are still in flux—more feedback’s due in May, and if the tweaks are big enough, another 45-day comment round could push final approval to November. Here’s what I’d do if I were running a company using ADMT:
- Track Your Tech: Know exactly how your AI tools use personal data—especially for decisions like hiring or credit scoring. The narrower ADMT definition means you might dodge some rules, but you need to prove it.
- Assess Risks Now: Even without behavioral ads in the mix, risk assessments are sticking around. Start mapping out where your data flows and what it’s deciding—beat the rush.
- Push for Clarity: Join the comment period. Stakeholders like the California Hispanic Chamber want a 2028 start date—others want tighter consumer protections. Your voice could tip the scales.
Where Do AI Regulations Go From Here?
The road ahead is never clear. Last year at the IAPP DC conference they said there will not be a comprehensive privacy bill. Then on Friday we were told actually there will be one now… Then it flopped. Will these changes calm the storm? Hard to say. Industry folks might cheer the lighter load, but privacy advocates like Tech Equity’s Swati Chintala say it’s not enough to shield Californians from AI gone wild. The CPPA’s got a tightrope to walk: keep businesses from bolting to laxer states while ensuring folks aren’t just data fodder for algorithms.
Me? I think this is a pivot, not a retreat. The CPPA’s feeling the heat and adjusting, but they’re not ditching the mission. With Colorado as a benchmark and a deadline looming, the next few months will be a sprint.
