Mr. Phil Laird
General Counsel
California Privacy Protection Agency
Attn: Legal Division – Regulations Public Comment
2101 Arena Blvd.
Sacramento, CA 95834
Re: Notice of Proposed Rulemaking on CCPA Updates, Insurance, Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking Technology Regulations
Dear Mr. Laird,
On behalf of the American Fintech Council (AFC), I am submitting this comment letter in response to the California Privacy Protection Agency’s (CPPA or Agency) Notice of Proposed Rulemaking on CCPA Updates, Insurance, Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking Technology (ADMT) Regulations (Proposed Rule).
AFC’s mission is to promote an innovative, transparent, inclusive, and customer-centric financial system by fostering responsible innovation in financial services and encouraging sound public policy. AFC members are at the forefront of fostering competition in consumer finance and pioneering ways to better serve underserved consumer segments and geographies. Our members are also improving access to financial services and increasing overall competition in the financial services industry by supporting the responsible growth of lending and lowering the cost of financial transactions, allowing them to help meet demand for high-quality, affordable financial products.
AFC recognizes and appreciates the importance of developing pragmatic regulations related to emerging technologies, including Artificial Intelligence (AI), and use cases such as ADMT. The Proposed Rule reflects California’s consistent approach to developing proactive regulations in the technology sector. AFC agrees with several provisions within the Proposed Rule. Namely, AFC agrees with the CPPA’s decisions to
• Consolidate the pre-use notice provisions to help streamline the user experience;
• Exempt businesses from providing consumer explanations on security, fraud prevention, and safety use cases of ADMT in order to protect the core functions of these enterprise use cases of ADMT; and
• Exempt businesses that have engaged in a cybersecurity audits, assessments, or evaluations that meets the requirements of the Proposed Rule from performing a duplicative cybersecurity audit.
However, as part of CPPA’s efforts to pursue regulations in the technology sector that afford California residents adequate rights and protections, there must also be due consideration to the operational challenges, technical considerations, and legal ramifications associated with companies acting in accordance with the Proposed Rule. Therefore, as discussed further below, AFC recommends specific modifications to the Proposed Rule for your careful consideration.
AFC advocates for consumers to have control over their data and agrees in principle with the provisions of the Proposed Rule that are associated with consumers’ data rights. However, the Proposed Rule should pursue specific modifications to ensure companies subjected to the Proposed Rule can comply from an operational standpoint without facing issues that would inhibit the operations of companies and the ability for them to serve consumers.
Namely, business seeking to comply with the Proposed Rule’s provision on identifying “[t]he approximate number of consumers whose personal information the business seeks to process” may face significant issues due to the inherent ambiguity in the provision as written. Specifically, lenders entering new markets or seeking to expand their offerings who use ADMT in their products and services may have imperfect information regarding the number of consumers whose personal information they will process. To ensure that companies can comply with the Risk Assessment requirement while also reflecting the realities of the market, the CPPA should provide additional regulatory guidance or flexibility for how companies should comply.
Additionally, as written, the Proposed Rule states that businesses that are “making automated decisionmaking technology or artificial intelligence available to another business… must provide all facts necessary to the recipient-business for the recipient-business to conduct its own risk assessment.” While AFC agrees with the principle of ensuring that there is a robust framework for developing risk assessments throughout the data supply chain, as written, the Proposed Rule’s provision presents ambiguity as to the specific information that a business making ADMT or AI should provide to the partner business. Therefore, AFC recommends that CPPA provide additional clarity within the regulations or via subsequent guidance upon finalization of the Proposed Rule.
Further, as written, there is inherent ambiguity in how to implement the Proposed Rule’s provision regarding “prohibition against processing if risks to consumers’ privacy outweigh benefits”. Given the subjective quality of this prohibition, businesses seeking to remain in compliance with the Proposed Rule could logically pursue activities that some may view as overly risk averse or risk seeking. Unfortunately, in the financial services space, the ambiguity of the provision could result in responsible products and services, such as lending, deposit taking, and payments being excluded from California consumers, because responsible innovators in financial services will seek to avoid running afoul of compliance requirements in the Proposed Rule. To remedy this ambiguity, AFC recommends CPPA pursue additional clarity within the regulations or via subsequent guidance upon finalization of the Proposed Rule specifically regarding the cost-benefit analysis required to ensure proper compliance with the regulation.
Specifically related to the Proposed Rule’s provisions on ADMT, AFC believes that CPPA should consider specific modifications to help ensure that businesses are able to effectively serve consumers while remaining in compliance with the Proposed Rule’s requirements. Specifically, with regards to the Proposed Rule’s request to opt-out of ADMT, AFC recognizes particular issues with the requirements for deleting data that is used for the training of ADMT. In the financial services space, lenders leveraging ADMT require large amounts of data in order to train their underwriting and decision models effectively. This data does not simply help in the development of one model, but also the refining of subsequent models. As written in the Proposed Rule, lenders will likely face significant costs if they are required to allow consumers to opt-out of the use of automated decisionmaking technology used to train other models, and it may inhibit the ability for lenders to effectively train their models to ensure that they properly assess risk and avoid any bias. Therefore, the CPPA should consider adding training uses of ADMT as set forth in section 7200 to the list of exempted activities from consumer opt-out requirements.
In addition, while AFC supports the plain-language explanation and disclosure principles underlying the Proposed Rule’s provisions, we believe that CPPA should consider adding an exemption for proprietary information or trade secrets, such as algorithm specifications regarding the use of personal data within an ADMT model. Providing an explicit exemption for proprietary information will ensure that companies will be able to provide the necessary information and explanations to consumers without harming the competitiveness of the products and services they offer.
We respect the efforts that the CPPA put into the Proposed Rule. However, as discussed, we believe that the Proposed Rule, as written, presents opportunities for further modifications to ensure that companies using ADMT can effectively operate in California. We thank you for your consideration of our comments and our recommendations on the Proposed Rule.
Sincerely,
Ian P. Moloney
SVP, Head of Policy and Regulatory Affairs
American Fintech Council
[2] California Privacy Protection Agency, “Proposed Text (CCPA Updates, Cyber, Risk, ADMT, and InsuranceRegulations)” Title, 11, Cal. Code Regs. §7001-7302 (2024).
[3] Ibid, § 7220(c).
[4] Ibid, § 7222(b)(4)(D).
[5] Ibid, § 7123(f).
[6] Ibid, § 7152(a)(3)(D).
[7] Ibid, § 7153(a).
[8] Ibid, § 7154(a).
[9] Ibid, § 7200.
[10] Ibid, § 7221(b)(6).
.svg)
.svg)
About the American Fintech Council: The mission of the American Fintech Council is to promote an innovative, responsible, inclusive, customer-centric financial system. You can learn more at www.fintechcouncil.org.
.webp)