Privacy

Goal

Proactively develop and promote privacy principles and policies that protect consumers without stifling innovation and that avoid costly and unnecessary legal liability and compliance burdens on businesses.

Issue Summaries

California Privacy Protection Agency

Position: It is becoming increasingly imperative that California’s elected officials rein in a state agency that is seemingly intent on writing public policy for the state on critical matters that far exceed its legal authority and have the ability to bring California’s economy to a grinding halt, all while downplaying the impact that their regulations will have on the regulated community. The California Privacy Protection Agency cannot be permitted to adopt regulations for which it has no legal authority or otherwise extend beyond the explicit statutory authority voters granted the Agency in Proposition 24 — least of all in situations where they have the ability to damage the economy and prevent the state from harnessing technology for the benefit of society, undermining clear directives from the Governor; and where they would be getting ahead of the Legislature on issues on which they know elected officials intend to act in the immediate future.

The California Chamber of Commerce will continue to shine light on the issue and participate in any available public process to represent the interest of members and outline the ways in which the Agency has exceeded its express voter mandate and what is commonly understood to be privacy regulations. The CalChamber will also support legislative proposals or other actions to add checks and balances and otherwise prevent the Agency from usurping what is clearly within the bounds of legislative authority in regulating artificial intelligence (AI) more generally, and in effectively rewriting the California Consumer Privacy Act (CCPA) by substituting their judgment for the voters’ actual mandate.

The CalChamber supports proposals to address concerns over rogue agencies and to add additional layers of checks and balances on those agencies, such as additional review of certain major regulations that have particularly significant economic impact, the potential to fall within the authority of multiple state agencies, or new issues that have yet to be addressed in statute first wherein the Legislature and Governor also can decide the appropriate regulatory authority on those issues. The CalChamber also supports proposals that would enforce independent review or analysis of certain economic assessments for major regulations.

California Privacy Protection Agency

Artificial Intelligence

Position: Ultimately, as with all AI legislation, any regulatory framework should be risk-based and avoid regulating the technology itself. Accordingly, the CalChamber is open to supporting reasonable safety frameworks that do not regulate the AI systems or models themselves, or supporting voluntary commitments via an executive order or bill in 2025.

Recognizing, however, that the Governor has expressed a clear intention to take a thoughtful — yet swift — approach to issuing workable guardrails that will be informed by his working group experts, and sharing in that same goal of supporting reasonable and workable guardrails, the CalChamber will engage in any processes and stakeholder opportunities made available by that working group.

Artificial Intelligence

Automated Decision-Making Tools

Position: The CalChamber would support reasonable legislation that would ensure the responsible development and deployment of ADMTs to help reduce, if not prevent, incidences of algorithmic discrimination without creating confusion as to what is and is not unlawful. Legislation must not regulate the technology itself; rather, it must be focused on specific use cases, and high-risk applications of the technology. It must be sufficiently risk-based and narrow in scope (ADMTs captured, businesses, types of decisions) and balanced, both to be operable and to avoid overregulation.

Other elements that must be included are: reasonably-tailored obligations (no opt-out rights, overly broad and cumbersome notice and right to correct requirements), confidentiality protections, no private right of action, a single enforcer, and preemption of localities and of state agencies.

Keeping in mind that anti-discrimination laws are technology neutral and are not obviated by the use of tools, the focus should be practices that would help develop and deploy the technology responsibly to avoid bias and discrimination, not discourage the advancement or application of the technology.

Automated Decision-Making Tools

Cleaned up onerous consumer privacy law in 2018 by working with members and other affected parties to negotiate clean-up language to consumer privacy law passed in 2018, including delayed enforcement and provisions clarifying that the private right of action applies only to additional liability for businesses after a data breach (SB 1121).

Led coalition in 2017 that negotiated amendments to protect the ability of business to offer free gifts or trials while allowing consumers who signed up online to cancel online (SB 313).

Stopped onerous, duplicative mandates in 2017 on manufacturers/retailers of devices that connect to the internet (SB 327); drastic restrictions on internet providers (AB 375); and a bill that risks stunting growth of unmanned aircraft systems (SB 347).

Maintaining Balance Between Privacy, Innovation

• Secured amendments in 2016 to remove problematic aspects of two bills (AB 83, AB 2623) and prevented passage of bills creating overly prescriptive mandates (AB 2688), interfering with businesses’ ability to interact with consumers (AB 2867), and potentially exposing proprietary information (SB 949).
• Stopped proposals in 2016 that would have stifled drone innovation and use (SB 868, AB 2724).
• Secured amendments in 2015 to make data breach legislation more workable for businesses (SB 570, AB 964).
• Supported modernization of digital surveillance laws in 2015 to provide clarity to business about when and how government can gain access to electronically stored consumer information (SB 178).

Protecting Victims of Identity Theft. Backed urgency bill to authorize restitution for expenses for three years to monitor an identity theft victim’s credit report and for the costs to repair the victim’s credit (SB 208 of 2011).

Combating Costly Identity Theft. Supported enactment of a law making it easier to prosecute identity theft offenses by expanding the jurisdiction to include any place where an offense occurred (SB 226 of 2009).

Neutralizing Overly Expansive Privacy Proposals. Secured amendments in 2009 to proposals (ultimately vetoed) potentially exposing businesses to further data breaches by expanding the content of required breach notifications (SB 20) and requiring social networking sites to prohibit and prevent photos posted to a site from being copied (AB 632).