On September 22, 2025, the California Office of Administrative Law (“OAL”) approved revisions to Regulations under the California Consumer Privacy Act (“CCPA”) that the California Privacy Protection Agency (“CPPA”) proposed. The CPPA added requirements to the Regulations regarding automated decision-making technology (“ADMT”), risk assessments, cybersecurity audits, among other areas. The OAL’s signoff marks the culmination of a lengthy rulemaking process, involving significant stakeholder engagement and its share of spilled ink.
The Regulations take effect on January 1, 2026, but many substantive requirements do not in fact kick in until a later date. This article outlines the key obligations and deadlines in the Regulations for (1) ADMT, (2) risk assessments, and (3) cybersecurity audits. A more comprehensive discussion of the Regulations can be found in our earlier article.
1. Automated Decision-Making Technology
Deadlines: Businesses must comply with the ADMT requirements from January 1, 2027.
Scope: The Regulations apply to businesses that use ADMT to make significant decisions. The final Regulations define ADMT as “any technology that processes personal information and uses computation to replace human decisionmaking, or substantially replace human decisionmaking.” Significant decisions include those relating to financial or lending services, housing, education enrollment or opportunities, employment (including hiring or promotion), and healthcare. Significant decisions do not include advertising to a consumer.
Summary of Requirements: A business that uses ADMT to make significant decisions must provide individuals subject to the ADMT with (1) notice of the ADMT before it is deployed, (2) an opportunity to opt out of the ADMT unless an exemption applies, and (3) the right to access how the ADMT made decisions.
2. Risk Assessments
Deadlines: Starting January 1, 2026, business are required to conduct risk assessments. However, for data processing activities that a business initiated prior to January 1, 2026, the business has until December 31, 2027 to complete and document its risk assessment. If the business plans to change its data processing activities after January 1, 2026, a risk assessment would be required prior to engaging in such modified activities. Businesses must submit information on risk assessments conducted in 2026 and 2027 to the CPPA by April 1, 2028. For any risk assessment conducted after 2027, businesses must submit information on the assessment to the CPPA by April 1 of the year following the assessment.
Scope: Businesses that engage in certain types of processing of personal information that present significant risk to California residents’ privacy must conduct a risk assessment before engaging in the processing. Our earlier article includes a discussion of what constitutes significant-risk processing.
Summary of Requirements: Businesses that engage in significant-risk processing must conduct and submit a risk assessment attestation to the CPPA stating, under the penalty of perjury, that the business has conducted risk assessments as required under the Regulations, along with additional information about the risk assessments it has completed. The CPPA and California Attorney General’s Office may also demand to see a copy of a business’ risk assessment within 30 calendar days of the request. Risk assessments must address topics including the purpose for the processing, the categories of personal information processed, the operational aspects of the processing, the benefits of the processing, the negative privacy impacts, the safeguards implemented by the business, and whether the business will implement the processing subject to the risk assessment.
3. Cybersecurity Audits
Deadlines: The initial deadline for submitting a business’ first cybersecurity audit certification to the CPPA depends on the business’ annual gross revenue:
- April 1, 2028 (covering the year 2027) if the business’ annual gross revenue for 2026 exceeds $100 million.
- April 1, 2029 (covering the year 2028) if the business’ annual gross revenue for 2027 is between $50 million and $100 million.
- April 1, 2030 (covering the year 2029) if the business’ annual gross revenue for 2028 is less than $50 million.
After 2030, cybersecurity audits must be conducted annually for all businesses that meet the scope criteria for the preceding year.
Scope: The cybersecurity audit obligations apply to businesses that either:
- had annual gross revenues in excess of $26.625 million in the preceding calendar year (as periodically adjusted for inflation) and, in the previous calendar year, processes the personal information of 250,000 or more Californians or the sensitive personal information of 50,000 or more Californians; or
- derive 50% or more of its annual revenues from selling or sharing consumers’ personal information.
Summary of Requirements: Cybersecurity audits must be conducted annually by a qualified, objective, independent professional and describe certain aspects of the business’ cybersecurity program including how it protects personal information from unauthorized access, destruction, use, modification, or disclosure. Although the business does not need to submit the audit results itself to the CPPA, it must submit a certification and attestation, under penalty of perjury, to the CPPA that it has undertaken the annual audit.
Takeaways
In addition to introducing ADMT, risk assessment and cybersecurity audit requirements, the Regulations also change many requirements found in the old version. For example, the Regulations now require businesses to display whether they have processed a California resident’s opt-out preference signal as a valid request to opt-out of sale/sharing on their websites, and the Regulations provide more detailed guidance on what practices constitute unlawful “dark patterns”. Although these new obligations may pose novel challenges for many organizations, by managing compliance deadlines effectively and proactively updating risk and privacy processes, businesses can put themselves on a path toward compliance.
