CPPA Approves Cybersecurity, Automated Decisionmaking, and Risk Assessment Regulations

Amelia Gerlicher, Meredith Halama, Peter Hegel, Janis Kestenbaum
Perkins Coie
Contact
LinkedIn
Facebook
X
Send
Embed

Perkins Coie

After years of drafting, discussions, and debates, the California Privacy Protection Agency (CPPA) Board reached a significant milestone in its efforts to bring to fruition regulations that have been in discussion by the CPPA Board for several years. 

At its public meeting on July 24, 2025, the Board unanimously approved regulations governing cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT) and updates to some existing regulations, which will impose substantial new obligations on businesses subject to the California Consumer Privacy Act (CCPA). Below is a high-level overview of the approved rules and next steps, and activity on the ongoing Delete Request and Opt-Out Platform (DROP) rulemaking.

CPPA (Finally) Passes the Regulations

The Board’s 5-0 vote to approve the regulations was the culmination of a prolonged process that began in 2021 and advanced to formal rulemaking in November 2024. In the most recent public comment period, the CPPA received 575 pages of feedback from 70 different stakeholders, as well as public comments offered on the day of the Board meeting. The approved regulations are unchanged from the draft originally circulated before the comment period. The CPPA detailed its reasoning in its Final Statement of Reasons, and agreed to prepare a guide explaining why publicly voiced concerns were not adopted.

Cybersecurity Audits

Among the most complex aspects of the CPPA’s rulemaking, the cybersecurity audit requirements are detailed and comprehensive. Under the regulations, CCPA-covered businesses must conduct an annual cybersecurity audit if they either (i) derive 50% or more of their annual revenue from selling or sharing personal information, or (ii) exceed $26.6 million in revenue and process the personal data of 250,000 or more consumers/households, or sensitive data of 50,000 or more consumers. These thresholds are designed to capture larger companies and those with business models heavily reliant on data monetization. Audits must be performed by qualified, objective, and—most importantly—independent professionals. Internal auditors are allowed, provided they report to an executive with no cybersecurity oversight. It is anticipated that the current structure of many businesses’ data security programs may not satisfy the regulations’ independence requirements, and there was extensive Board discussion in earlier meetings as to whether this requirement would necessitate an entire new industry of qualified auditors. 

The regulations lay out 18 components of the business’s cybersecurity program—many of which contain multiple elements—that must be assessed within an audit, including the following topics:

  • Authentication Controls: Use of multi-factor authentication (MFA), including phishing-resistant MFA for employees, contractors, and service providers; strong, unique passwords or passphrases.
  • Encryption: Encryption of personal information both at rest and in transit.
  • Access Controls: Restricting access to personal information to only those individuals, accounts, or applications that need it; limiting the number of privileged accounts; monitoring the creation of new accounts; and restricting physical access to personal information.
  • Data Inventory and Management: Maintaining an inventory of data flows, hardware, and software;
  • Secure Configuration of Hardware and Software: Secure configuration of systems; patch management; masking of sensitive personal information as appropriate.
  • Vulnerability Management: Internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting.
  • Logging and Monitoring: Centralized storage, retention, and monitoring of audit logs; network monitoring and deployment of intrusion detection and prevention systems; data loss prevention tools.
  • Malware Protection: Use of antivirus and antimalware solutions.
  • System Segmentation: Segmentation of networks and limitation of ports, services, and protocols.
  • Training and Awareness: Ongoing cybersecurity education and training for all personnel with access to information systems.
  • Secure Development Practices: Adoption of secure coding and development best practices, including code reviews and testing.
  • Vendor Oversight: Oversight of service providers, contractors, and third parties to ensure compliance with contractual and legal obligations.
  • Data Retention and Disposal: Implementation of retention schedules and secure disposal of personal information that is no longer needed.
  • Incident Response and Business Continuity: Documented incident response plans, regular testing of incident response capabilities, and business continuity and disaster recovery planning.

Businesses subject to the cybersecurity audit requirements must annually submit to the CPPA a signed certification from an executive responsible for cybersecurity audit compliance though they do not have to submit the underlying audit report. Importantly, the CPPA and the Attorney General may request full audit reports as part of an investigation. 

The audit requirements offer the strongest indication yet of what the CPPA considers “reasonable” security procedures and practices that would satisfy the CCPA’s requirements (see Cal. Civ. Code §§ 1798.100(e) & 1798.150(a)(1)). Consequently, even businesses not subject to the cybersecurity audit requirement may want to benchmark their program against it.

Timeline. The audit requirements phase in gradually; audits must begin by April 1, 2028, for businesses with $100 million or more in annual gross revenue; by April 1, 2029, for those with $50–$100 million in annual gross revenue; and by April 1, 2030, for businesses with less than $50 million in annual gross revenue.

Automated Decisionmaking Technology

The regulations define “Automated Decisionmaking Technology” (ADMT) as any technology that processes personal information and uses computation to “replace or substantially replace human decisionmaking.” Under the regulations, consumers gain opt-out and access rights when ADMT is used to make a “significant decision,” meaning results in the provision or denial of lending or financial services (e.g., credit cards, loans, money transfers), housing (excluding basic administrative functions), education (e.g., admissions, certifications, disciplinary actions), employment (e.g., hiring, compensation, promotions, terminations), or healthcare (e.g., diagnosis, treatment, or health assessments). In these cases, businesses must also provide a pre-use notice explaining the purpose of the model, how it functions, and the consumer’s rights to opt out or request additional information.

Timeline. Businesses using ADMT must be in compliance by January 1, 2027. See Next Steps below for more detail about the effective date. 

Risk Assessments

Under the regulations, businesses must conduct a risk assessment before starting any activity that poses a “significant risk” to consumer privacy and submit annual summary attestations to the CPPA. These activities are selling or sharing personal data, processing sensitive personal information, using ADMT to make significant decisions, profiling individuals in sensitive contexts (like employment or education), and training ADMT and biometric systems for significant decisions.

Both the substance and procedures for conducting risk assessments under the regulations differ in material respects from the obligations imposed in other states. Risk assessments must explain the purpose of processing, data categories involved, processing methods, retention periods, disclosures, third-party involvement, expected benefits, potential privacy harms, and safeguards. An executive must attest that the assessment meets regulatory standards. 

Timeline. Assessments must be completed for existing activities by December 31, 2027, with attestations due April 1, 2028 (new activities require assessments before launch and attestations by each following April thereafter). All assessments must be reviewed every three years or within 45 days of material changes. Full reports must be available upon request of the CPPA or the Attorney General.

Modifications to Existing Regulations

The rulemaking package also includes modifications and clarifications to a number of existing rules. Key updates include:

  • Entities must implement mechanisms to transparently reflect compliance with consumer opt-out requests, including a clear on-site indication (e.g., “Opt-Out Request Preference Signal Honored”) and corresponding status indicators in privacy settings via toggles or selection tools.
  • Requiring notices about the right to opt out of sharing/sales and to limit the use of sensitive information to appear before or at the point of data collection—particularly on connected devices and in AR/VR environments.
  • Clarifying that user interfaces must follow the “symmetry in choice” principle by presenting “yes” and “no” options with equal prominence when handling CCPA requests or consumer consent. 
Proposed DROP Regulations

In parallel to the CPPA’s rulemaking efforts detailed above, the CPPA has been drafting proposed regulations for the DELETE Act to establish the DROP—a “one-stop-shop” for consumers to request deletion of their personal information from all registered data brokers. (The DROP platform is targeted to launch in 2026.) After reviewing public comments on the initial draft regulations, the Board approved further revisions for public comment, including requirements to verify that DROP requests originate from California residents, more specific information about how data brokers must compare their databases with the data provided by the DROP system, and additional standards for matching consumer data against the DROP platform. 

Next Steps 

As for the rulemaking package the Board approved, the CPPA must send it to the California Office of Administrative Law (OAL), which generally has 30 working days to review the regulations to ensure the CPPA has satisfied the California Administrative Procedure Act and OAL regulations. 

Following OAL approval, rules generally go into effect the first quarter following the filing date with the Secretary of State as follows: January 1, if filed between September 1 and November 30; April 1, if filed between December 1 and February 29; July 1, if filed between March 1 and May 31; and October 1, if filed between June 1 and August 31. Further, a number of provisions have specific compliance deadlines to provide additional time to prepare, as noted above.

Regarding the proposed DROP regulations, the CPPA will open a new 15-day comment period on the revisions approved at the July 24 meeting.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Perkins Coie

Written by:

Perkins Coie
Perkins Coie
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Perkins Coie on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide