At its latest meeting, the CPPA voted to finalize its regulations governing automated decisionmaking tools, cybersecurity audits, and privacy risk assessments
On July 24, the California Privacy Protection Agency ("CPPA") board voted 5-0 to finalize its regulations relating to cybersecurity audits, risk assessments, and automated decisionmaking technology ("ADMT").
The rulemaking process has been ongoing since 2023, and the regulations have gone through multiple revisions since then. In May 2025, the CPPA significantly narrowed the scope of the proposed regulations and submitted them for a second round of public comment. The CPPA did not make any changes based on comments received in the second round and instead voted to finalize the version of the regulations released in May, which we discussed in detail.
In the Final Statement of Reasons released with the regulations, the CPPA stated that by limiting the scope of the regulations, compliance costs for businesses over 10 years would decrease from $9.725 billion to $4.835 billion.
The CPPA sent the rulemaking package to the Office of Administrative Law, which has 30 days to approve the regulations. Once approved, compliance will be required by the following deadlines:
- ADMT Regulations: January 1, 2027
- Privacy Risk Assessments: December 31, 2027
- Cybersecurity Audits:
- April 1, 2028 (for businesses with over $100 million in annual gross revenue)
- April 1, 2029 (for businesses with annual gross revenue of between $50 million and $100 million)
- April 1, 2030 (for businesses with annual gross revenue less than $50 million)
[View source.]
