On July 24, 2025, during a public meeting following public comment, the California Privacy Protection Agency (CPPA) Board unanimously approved amendments to the California Consumer Privacy Act (CCPA). These substantial changes include new obligations for businesses subject to the CCPA. Significantly, the updates emphasize CPPA’s new regulatory focus over AI decision-making and cybersecurity in addition to privacy. In addition, the CPPA opted to open the Delete Request and Opt-Out Platform (DROP) regulations for further public comment on its proposed changes. Below is a summary of the key updates:
Automated Decisionmaking Technology
- ADMT Defined –The updates provide a new regulatory focus on automated decisionmaking technology (ADMT), which is defined as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.” This definition does not cover when such automated technology is used to assist in, but not to entirely substitute, human decisionmaking.
- Consumer Rights – Under the new ADMT provisions, businesses must inform consumers of their opt-out and access rights with respect to the business’s use of ADMT to make any significant decisions about the consumer. “Significant decisions” are defined as decisions related to financial or lending services, housing, education opportunities, employment opportunities, or healthcare services.
- Pre-Use Notice – Businesses must also provide pre-use notices regarding the use of ADMT. These notices should explain what the ADMT does, consumer rights related to opt-out and access, and a detailed description of how the ADMT works to make a significant decision about the consumer.
Annual Cybersecurity Audits
The CCPA final text introduces an annual cybersecurity audit requirement for businesses that meet a certain threshold. Businesses will be required to conduct annual, independent cybersecurity audits to assess how their cybersecurity program protects consumer personal information from unauthorized access and disclosure. Businesses are required to submit a certificate of completion to the CPPA annually.
- Audit Components – Components of a cybersecurity program that fall into the audit’s scope include the business’s cybersecurity measures such as authentication, access controls, inventory management, secure hardware and software configurations, network monitoring, and cybersecurity education. The report must outline, in detail, gaps or weaknesses in the organization’s policies or cybersecurity program components that the auditor deemed to increase the risk of unauthorized access or activity.
- Impartiality Requirement – Audits must be performed by an independent and qualified professional. If the auditor is internal to the business, the CCPA requires specific measures to be put in place to ensure the auditor’s impartiality and objectivity.
- Repurposing Audits – A cybersecurity audit used for another purpose, such as an audit that uses the NIST Cybersecurity Framework 2.0, may be used for this audit purpose, provided that it meets all of the requirements outlined in the CCPA.
- Compliance Timeline – The timeline for completion of the initial cybersecurity audit depends on the business’s revenue for the previous years. All businesses must complete this audit by April 1, 2030, but some will be required to do so by April 1, 2028, depending on annual income.
Pre-Processing Risk Assessments
Under the new regulations, any business that poses a significant risk to consumers’ privacy in processing personal information must conduct a risk assessment before initiating that processing. The goal of a risk assessment is to restrict or prohibit the processing of personal information if the resulting privacy risks to the consumer outweigh the benefits to the business and other stakeholders. Risk assessments must be reviewed and updated once every three years. If there is a material change in processing activity, a business must update its risk assessment as soon as possible, but no later than 45 calendar days from the change.
- Broad Definition of Significant Risk – The CCPA outlines several activities that are deemed to present significant risk, including selling or sharing personal information and processing sensitive personal information. This is an expansive definition, because most businesses share personal information with third parties.
- Risk Assessment Components – Risk assessments must document a business’s purpose for processing consumer personal information and the benefits to the organization of that processing. Risk assessments must also document the categories of information to be processed. In addition, the risk assessment must also consider the negative impacts of processing to consumers’ privacy. The business must further identify safeguards it plans to implement for the processing, such as encryption and privacy-enhancing technologies.
- Compliance Timeline – For risk assessments conducted in 2026 and 2027, businesses must submit an attestation to the CPPA by April 1, 2028. The individual submitting the risk assessment attestation must be a member of the business’s executive management team who is directly responsible for, and has sufficient knowledge of, the business’s risk assessment compliance. Risk assessments must be maintained for as long as the processing continues or five years after completion, whichever is later, and available for inspection by CPPA or the Attorney General.
Insurance
The final CCPA changes also include clarification of the law’s application to insurance companies. Insurers are required to comply with the CCPA for personal information collected outside of an insurance transaction. The final text provides an example whereby if an insurance company collects personal information of website visitors who have not applied for any insurance product or service to tailor personalized advertisements to those users, the insurer must comply with the CCPA with respect to that information. Since most websites use
tracking technologies, insurance companies should assess their compliance with the CCPA promptly.
Recommended Next Steps
The California Office of Administrative Law (OAL) still needs to review and approve these changes. OAL has 30 business days after receiving the final text from the CPPA to do so. However, many industry experts expect that the OAL will only make minor, if any, changes. Businesses should expect the OAL to approve most of this final text. The regulations take effect in 2027, so preparation for these new compliance obligations should be a top priority. CPPA’s next meeting is September 26, 2025, where it is expected to present its annual enforcement report and priorities. For a more in-depth analysis of the new CPPA Regulations, click here.