California's High-Stakes Privacy Gamble
How the CPPA’s Proposed Rules Could Undermine Tech Innovation and Small Businesses
The California Privacy Protection Agency (CPPA) is currently considering a regulation that could remove California from the center of the digital universe. If enacted, companies may be compelled to scale back on the personalized, innovative services that have defined today’s technology landscape. This shift would disproportionately burden small businesses, potentially undermining California’s vibrant startup ecosystem. Ultimately, consumer choice could diminish, and the dynamic, user-focused nature of the digital economy may be compromised.
Neil Chilson submitted a comment raising concerns about the onerous regulation and the potential of transforming the California Consumer Privacy Act into a de facto AI regulatory regime. We briefly discussed this regulatory proceeding in a previous post but go into more detail of Neil’s comments below.
Sweeping Rules Justified under Flawed Benefit / Cost Analysis
The CPPA’s proposal would force businesses to comply with new requirements that, under their own analysis, could cost California companies approximately $3.5 billion in the first year, with average annual expenses of around $1.08 billion over the next decade. These costs stem from software overhauls necessary to ensure compliance. Moreover, the CCPA doesn’t consider other unintended consequences such as increased labor cost and indirect expenses for non-regulated businesses that depend on targeted advertising platforms. The compliance costs will unintentionally impact small businesses using digital advertising. As compliance costs force digital advertisers to increase the prices of their services, small businesses will be subjected to reduced marketing efficiency and customer growth.. This mandate forces companies to allocate resources toward documenting and certifying compliance, which could otherwise be invested in creating better and cheaper products.
The proposal also creates uncertainty with its expansive definition of “Automated Decision-Making Technology.” The definition would cover technology ranging from advanced AI systems to basic data sorting. The consequence is a regulatory regime that makes operating and creating digital businesses in California riskier than the status quo.
Another contentious aspect is the regulation of behavioral advertising. Under California’s privacy law, consumers can opt out of third-party data sales, but the new rules go beyond the law to restrict first-party data used for targeted advertising, which is a critical source of revenue and new customers for many small and medium-sized businesses.
Restricting first-party targeted advertising could force businesses to raise prices or reduce marketing effectiveness, thereby hurting both publishers and consumers. The fallout could be detrimental to California’s startup ecosystem. Achieving early profitability is essential for the survival of digital startups. Targeted advertising allows startups to find customers while allowing consumers to find products uniquely tailored to their needs.
The proposal also raises significant constitutional issues. Mandated disclosures of how algorithms operate could force companies to reveal proprietary information, risking violations of trade secret protections and infringing on First Amendment rights. Court decisions, such as in Sorrell v. IMS Health, highlight the dangers of overregulating commercial speech, suggesting that the CPPA’s measures might face legal challenges.
Compounding these challenges is the unworkable and rushed implementation timeline. Initially, written comments were due on an extremely short deadline, and even after an extension, businesses are still faced with a compressed schedule. Companies are expected to inventory all their ADMT systems, develop new consumer interfaces for opt-outs, re-engineer algorithms, and train personnel. The average number of employees in a startup is four. These firms, lacking extensive compliance resources, are especially at risk, which will further damage the innovation ecosystem that California prides itself on.
The expansive ADMT regulations do not stand up to grounded cost-benefit analysis – consumers gain negligible privacy benefits at the expense of causing substantial damage to California’s thriving digital economy. To mitigate the unintended consequences of the regulations, Neil recommends:
Narrowing the definition of ADMT
Removing the restrictions on first-party advertising and marketing
Conducting a new Standardized Regulatory Impact Assessment (SRIA)
Addressing First Amendment questions and the legal authority of the California Privacy Rights Act of 2020 (CPRA).
Extending the implementation timeline.
The average startup being only four people is stunning.