On July 24, 2025, the California Privacy Protection Agency (CPPA) approved a sweeping set of amendments to the California Consumer Privacy Act (CCPA) regulations. These updates introduce new compliance obligations for businesses around automated decision making, cybersecurity audits, risk assessments, and more.
Below, we discuss some of these new requirements.
Automated Decision-Making Technology (ADMT) Regulations.
The CPPA has introduced a comprehensive framework governing the use of ADMT, which includes any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making. Businesses using ADMT to make "significant decisions," such as those affecting financial services, employment, housing, education, or healthcare, must now:
- Pre-Use Notice. Providea Pre-Use Notice to the consumerdetailing the decisions being made, the data used, and the consumer's rights relating to ADMT (i.e., right to request access to ADMT and opt-out of ADMT).
- Right to Access and Appeal. Businesses must inform consumers when ADMT is used and give the right to access information about how the ADMT works, such as the logic behind the process. Additionally, consumers must be able to appeal the decision made using ADMT.
- Opt-Out. Businesses must now provide consumers the right to opt-out of ADMT, including a separate opt-out link entitled "Opt-Out of Automated Decision-Making Technology" on their websites. Opt-outs are not required where consumers can appeal ADMT decisions to a human reviewer who has authority to overturn the decision.
- Opt-In. Opt-in consent is required when ADMT is used to process sensitive personal information.
Notably, the CPPA removed references to "artificial intelligence," opting for a broader definition of ADMT.
Annual Cybersecurity Audits.
Businesses that meet certain thresholds must conductannual independent cybersecurity auditsstarting in 2028. The thresholds include businesses that:
- Derive 50% or more of annual revenue from selling or sharing personal information; or
- Have annual gross revenue over $25 million (adjusted for
inflation) and process either:
- Personal information of at least 250,000 consumers, or
- Sensitive personal information of at least 50,000 consumers.
These audits must, among other requirements, also:
- Be conducted by an internal or external professional that is objective and qualified.
- Be evidence-based, not reliant on management attestations.
- Cover various data governance components of the business, including authentication, encryption, access controls, incident response, vendor oversight, and more.
The business then must create a cybersecurity audit report that identifies various aspects of the audit, including, but not limited to, (A) the policies, procedures, and practices that the cybersecurity audit assessed; (B) the criteria used for the cybersecurity audit; (C) the specific evidence examined to make decisions and assessments, such as documents reviewed, sampling and testing performed, and interviews conducted, and (D) any gaps and weaknesses of the data governance program.
Risk Assessments for High-Risk Processing.
Companies engaging in high-risk data activities, such as "selling" or "sharing" personal information, using ADMT for significant decisions, processing sensitive personal information, and profiling individuals in employment, education, or sensitive locations, must performdetailed risk assessments. Such risk assessments must:
- Document the purpose, scope, and safeguards of the processing.
- Conduct an analysis of the risks to the consumers and benefits to the business of processing such personal information.
- Identify the negative impacts to consumer privacy.
- Be updated every three years or upon material changes.
Additionally, the amendments require businesses to submit risk assessment attestations and certifications to the CPPA annually starting in 2028.
Clarifications for Insurance Companies.
The amendments clarify that while data collected strictly within insurance transactions remains governed by the Insurance Code, data that is not covered by such Insurance Code, such as marketing, employment, or website visitor information, falls under the CCPA.
Additional Amendments.
Alternative Opt-Out Link. Businesses are required to include the Alternative Opt-Out Link icon if they combine the Do Not Sell or Share My Personal Information link with the Limit the Use of My Sensitive Personal Information link. The amendments now allow businesses to change the color of the icon so that it can remain visible while providing more contrast with the background.
Opt-Out Preference Signals. Prior to the amendments, businesses had the option to notify users of their website that the website has honored preference signals (i.e., global privacy control) in use when users landed on the website. The amendments now make this mandatory.
Privacy Banners. Some businesses have added privacy
banners to their websites recently to notify users that the
websites use cookies. The amendments provide new requirements that
state a "consumer closing or navigating away from a pop-up
window on a website that requests consent without first
affirmatively selecting the equivalent of an "I accept"
button shall not constitute consent. Such a method for obtaining
consent is confusing to the consumer." This means that privacy
banners that only allow users to X out of the banner may not
constitute valid consent.
As with all privacy regulations, Taft's Privacy & Data Security team will continue to monitor updates and guidance regarding the CCPA and its regulations. For more data privacy & security-related updates, please visitTaft's Privacy & Data Security Insights blog.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
