The California Privacy Protection Agency adopted a package of regulations on automated decision‑making technology (ADMT), risk assessments and cybersecurity audits at its July 24 meeting after an extended public comment period and vigorous debate.

The final package narrows some original proposals, including phasing cybersecurity audits by revenue level, removing a behavioral advertising threshold for ADMT obligations, and focusing ADMT requirements on use for "significant decisions." Agency staff said those and other revisions cut estimated direct business compliance costs from the initial projection of more than $10 billion to about $4.8 billion over 10 years and that aggregate net benefits rise substantially under updated modeling.

Board members praised the staff's lengthy drafting effort. "I support adopting these thoughtful, and I say balanced and privacy focused regulations today," Board Member Liebert said during deliberations.

But the adoption took place amid strong public opposition from labor and civil‑society groups, and wide disagreement among business associations. Worker advocates, several unions and gig‑worker speakers urged stronger rules, saying narrow definitions will let employers and platforms avoid obligations and deny workers notice, recourse and access to data used by algorithms that affect pay, discipline or deactivation. Dozens of labor, consumer and civil society organizations had submitted coalition comments and told the board the proposed changes had weakened worker protections compared with earlier drafts.

Gig workers and union representatives told the board they face real harms from automated systems that set pay rates, route work or deactivate accounts, and asked for broader notice, access, and stronger opt‑out and audit requirements. For example, driver Darius Mobareke told the board, "I want access to my life. I want access to my story. I want access to my data," and described difficulties obtaining information from platforms about how algorithmic decisions affected his work.

Industry groups argued the rules remain too prescriptive and costly, warned of duplicate federal and state obligations for regulated sectors, and urged longer compliance timelines. Several business associations asked that the agency pause and coordinate with the governor’s AI working group and the legislature to avoid regulatory conflict.

Staff reported the agency received about 575 pages of comments from 70 distinct commenters during the most recent (24‑day) public comment period and noted many prior rounds of pre‑rulemaking comment dating back to 2021. After discussion the board voted 5‑0 to adopt the regulations as modified and to direct staff to submit the final rulemaking package to the Office of Administrative Law.

Why it matters: The ADMT and cybersecurity rules implement voter‑authorized agency powers and will affect how companies use algorithms that make or influence consequential decisions about consumers and workers across California. The rules establish notice, risk‑assessment, external review and phased audit obligations that will become compliance landmarks for the state.

What’s next: Staff will package final statements of reasons and supporting documents and submit them to OAL. The agency also will monitor effects in the field and indicated it is prepared to propose future amendments if the rules prove impracticable or fail to address emerging harms.

Ending: The adoption marks a milestone in California’s attempt to regulate algorithmic decision making and cybersecurity practices; it also signals further enforcement and oversight work as the new rules take effect.