On July 24, the CPPA released updated regulations under the California Consumer Privacy Act, (CCPA) establishing those changes made after the 45-day comment period affecting three main areas of concern: Automated decision-making technology (ADMT), risk assessments, and cybersecurity audits. Organizations engaging in high-risk data processing — such as inferring personal traits or processing sensitive location data — must conduct and submit risk assessments evaluating the necessity, proportionality and potential impact of their practices.
As of January 1, 2027, businesses may be required to notify individuals about the use of ADMT for “significant decisions,” which could include decisions related to financial or lending services, housing, education, employment, compensation, or healthcare. Businesses subject to the CCPA whose data processing presents “significant risk” must complete annual cybersecurity audits, submit written certifications of completion to the CPPA, and be prepared to provide audit reports upon request by the CPPA, the attorney general of California, or in litigation following a data breach.
The regulations would impose additional obligations, including identifying all technologies using ADMT, as well as updating risk assessments and governance documents. Businesses must also train their workforce on new data, privacy and cybersecurity laws. Initial cybersecurity audit deadlines would be phased based on annual gross revenue, with the first reports due as early as April 1, 2028, for larger businesses. Companies using ADMT for significant decisions must comply with these rules on or after January 1, 2027.
[View source.]
