The CPPA scratched another task off the to-do list last month when it officially adopted proposed regulations under CCPA. These rules focus on three major areas: automated decision-making technology, risk assessments, and cybersecurity audits. We discussed the requirements of the proposed rules in this post in May, when they were still in draft form.
Since then, few substantive changes were made. As a reminder, here are a few of the rules’ highlights:
- Automated Decision-Making Technology: Requirements around use of this technology will not go into effect until January 1, 2027. At that time, obligations will include, among other things, notification and choice if using these technologies for major decisions on financial services, housing, school admissions, employment, or healthcare. Use of the technologies for behavioral advertising is excluded.
- Risk Assessments: Beginning April 1, 2028, companies will need to submit risk assessments (including those conducted in 2026 and 2027) to the CPPA for processing poses “significant risk”—including selling/sharing data, processing sensitive data outside employment, using ADMT for major decisions, or profiling that reveals sensitive traits.
- Cybersecurity Audits: Annual cybersecurity audits will be mandatory for entities meeting “significant risk” thresholds based on size and data volume. The timing of these requirements is between 2028–2030, depending on revenue. Reports must justify any security safeguards not implemented and be available for review.
Putting it into Practice: Now that we have final rules (pending Office of Administrative Law approval, which is anticipated to come soon), businesses that meet CCPA’s thresholds will want to review their use of automated technologies, update policies for risk assessments, take stock of their security controls, and train staff on their new obligations. Unfortunately, although these rules are final, they were not without controversy (hundreds of comments came in during the public consultation period) so further changes may be in store for these regulations.
