Thank you very much for that question. I have concerns about legitimate interest as well.
As to whether it is weaker or stronger than the GDPR, it is substantially weaker than the GDPR in its wording. The GDPR, like the CPPA proposal, has a balancing.... It has no “get out of jail free” card. There must be a balance and the use must be appropriate, and it can't adversely affect individuals.
However, unlike the GDPR, it doesn't apply to disclosures, which is very significant. For example, search engines or AI companies are either not going to be able to operate in this country without an amendment, or they'll operate and they won't be subject to the law. This section needs to be fixed.
The other thing is that it has additional tests, which aren't in the GDPR, about a reasonable person having to expect the collection of such activity. That is tethered to an old technology—a known technology—rather than a technologically neutral approach. We want something that's going to work in the future, and this language doesn't work.
I think the problem is actually the opposite of what you were asking for. We need to fix it so that it works properly but still protects the public.