New CCPA Regulations Receive Final Approval

On September 23, 2025, the California Privacy Protection Agency (CPPA) announced the approval of final regulations under the California Consumer Privacy Act (CCPA) covering cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT). The new rules, effective January 1, 2026, introduce significant new compliance obligations for businesses subject to the CCPA/CPRA, with phased deadlines for certain requirements.

Key requirements include:

• Cybersecurity Audits: Businesses must conduct annual, independent cybersecurity audits if they (1) derive 50% or more of annual revenue from selling or sharing consumers' personal information, or (2) meet the annual gross revenue threshold in the CCPA and process the personal information of 250,000 or more consumers or the sensitive personal information of 50,000 or more consumers. Audit certifications are due to the CPPA on a phased schedule: April 1, 2028 (for businesses with over $100 million in revenue), April 1, 2029 (for $50–100 million), and April 1, 2030 (for less than $50 million). Audits must be performed by qualified, objective, independent professionals and must assess a comprehensive set of technical and organizational safeguards, including authentication, encryption, access controls, vulnerability management, incident response, and more. Service providers and contractors must cooperate with the audit process.
• Risk Assessments: Covered businesses must conduct and document risk assessments before engaging in processing activities that present significant risks to consumers' privacy or security, such as selling or sharing personal information, processing sensitive personal information, using ADMT for significant decisions, or using personal information to train ADMT. Risk assessment compliance begins January 1, 2026, with attestation and summary submissions due by April 1, 2028. Assessments must document the purpose, categories of data, operational elements, benefits, risks, and mitigation measures, and must be reviewed and updated at least every three years or upon material changes.
• Automated Decisionmaking Technology (ADMT): The regulations define ADMT as any technology that processes personal information and uses computation to replace or substantially replace human decisionmaking. Businesses using ADMT to make significant decisions about consumers (such as those affecting financial services, housing, employment, or healthcare) must, by January 1, 2027, provide clear pre-use notices, offer consumers the right to opt out, and respond to access requests with meaningful information about the logic, key parameters, and effects of the ADMT. The rules require plain-language explanations, transparency about the role of human involvement, and prohibit retaliation against consumers exercising their rights. Exceptions and specific requirements apply for certain employment and admissions uses.

These regulations significantly expand the compliance landscape for California businesses, requiring new documentation, consumer-facing notices, and ongoing governance. Businesses should review their data processing activities, update privacy notices and contracts, and ensure robust audit and risk assessment procedures are in place to meet the new standards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.