California continues to lead the way in data privacy standards as the latest regulatory updates from the California Privacy Protection Agency (“CPPA”) mark a significant step forward in safeguarding individual rights and data security. On July 24, 2025, the CPPA voted to approve changes to the California Consumer Privacy Act (“CCPA”) regulations that address automated decision-making technology (“ADMT”), risk assessments, and cybersecurity audits. These changes are designed to enhance consumer protections and increase organizational accountability, especially as artificial intelligence (AI) and automated systems become more prevalent in business operations. Below, we provide a high-level overview of these changes and steps that businesses can take to promote CCPA compliance.
Key Changes in the New CCPA Regulations
The newly approved regulations introduce several important requirements for businesses subject to the CCPA:
- Automated Decision-Making Technology (ADMT): The regulations define ADMT broadly, covering “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.” In other words, the CCPA regulations now target uses of ADMT that lack substantial human involvement. To illustrate this point, the regulations provide an example of a business that videotapes job interviews and uses emotion-recognition technology without human involvement to assess the videos and decide who to hire.
- Businesses covered under the CCPA must now provide natural persons who are California residents (“Consumers”) with clear notices about the purposes for which ADMT is used, including the logic involved, the significance, potential consequences, and individuals’ rights related to ADMT. As with all other notices required under the CCPA, these notices must be presented at or before the point of data collection and in the manner in which the business primarily interacts with the Consumer. The regulations also grant Consumers the right to opt out of a business’s use of ADMT to make “significant decisions” concerning the Consumer. “Significant decisions” generally include decisions relating to the provision or denial of financial or lending services, housing, educational enrollment or opportunities, employment of independent contracting opportunities or compensation, or healthcare services. Further, a business must offer Consumers at least two methods of submitting requests to opt out of the business’s ADMT usage. Businesses that use ADMT prior to January 1, 2027 must comply with the ADMT requirements no later than that date.
- Risk Assessments: Businesses must conduct and document regular risk assessments when engaging in activities that present a significant risk to Consumers’ privacy or security, including when using ADMT to make decisions, selling or sharing personal information, or processing sensitive personal information. These assessments must evaluate if the potential impact of data processing on Consumers, including the likelihood and severity of harm, outweighs the benefit that the business will receive from the data processing. The CCPA regulations specify the content and frequency of these assessments, and require businesses to submit them to the CPPA upon request. Additionally, assessments are required to be updated if any material change is implemented to the underlying processing activity. Risk assessments must be reviewed and updated once every three years. For risk assessments conducted in 2026 and 2027, businesses must submit an attestation to the CPPA by April 1, 2028.
- Cybersecurity Audits: The regulations require annual cybersecurity audits for businesses whose processing of personal information presents significant risks. These audits must be thorough, independent, and documented, with a focus on whether the business’s security measures are effective in maintaining the privacy of personal information. They must also generally be conducted by a “qualified, objective, independent” professional (although internal auditors are permitted in certain circumstances). The regulations outline specific criteria for what constitutes an adequate audit, emphasizing the need for objectivity and comprehensive coverage. Notably, the regulations allow for a cybersecurity audit implemented for a separate purpose, such as ensuring adherence to the standards of the applicable NIST Cybersecurity Framework, to be used for this CCPA audit requirement. Businesses with annual gross revenue above $100 million in 2026 will be subject to the first deadline and must complete audits for 2027 by April 1, 2028. Smaller businesses are subject to similar requirements over the course of the following two years. All businesses meeting the general audit applicability requirements will have to complete audits for 2029 by April 1, 2030.
Recommendations for Businesses
California’s Office of Administrative Law (“OAL”) must now review and approve the proposed changes to the CCPA regulations, but industry experts generally do not expect that substantive revisions will be made before they become law. The finalization of these regulations increases the privacy compliance requirements in California for businesses subject to the CCPA. As California has often led the way amongst states with respect to the implementation of new data privacy protections, these proposed changes to the CCPA regulations may also lead to similar initiatives in other states with comprehensive data privacy laws. Businesses can prepare themselves for compliance with the regulations through the following steps:
- Businesses should review the extent to which their activities are implicated under the new requirements. For example, technology and AI usage should be evaluated to determine if it constitutes ADMT, and businesses should consider if their data use or disclosure practices will require risk assessments because they involve “significant risk.”
- Businesses should prepare to update their website privacy notices, internal data security policies, audit procedures, and opt-out forms as needed to reflect these updated requirements.
- Based on the new requirements for risk assessments and cybersecurity audits, businesses should take a proactive approach to identifying and mitigating privacy and security risks. Documentation and readiness to demonstrate compliance will be critical, especially in the event of a CPPA inquiry. Complying with what amounts to a data governance regime will require a multidisciplinary effort and adequate internal policies for many organizations.
- Businesses should continue to monitor for any minor changes that the OAL makes to the new regulations, and discuss any questions on how the new requirements will affect them with legal counsel. Businesses should also monitor for any similar initiatives in other states with comprehensive data privacy laws including, but not limited to, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.
Conclusion
The CPPA’s new regulations under the CCPA represent a comprehensive effort to address the challenges posed by ADMT and evolving cybersecurity threats. Businesses operating in California—or processing the data of California residents—should take these changes seriously and consider the above recommendations. Businesses should begin reviewing their data processing activities, updating their risk assessment and audit procedures, and training staff on the new requirements. Early action will help ensure compliance and reduce the risk of enforcement actions.
