The California Privacy Protection Agency (“CPPA”) finalized a set of regulations under the California Consumer Privacy Act (“CCPA”) on July 24, 2025, that address cybersecurity audits, risk assessments, and automated decisionmaking technology (“ADMT”). These rules, which follow an extensive and contentious rulemaking process and public consultation, represent a significant evolution in California’s data privacy and security landscape, with broad implications for businesses operating in the state.
BACKGROUND AND RULEMAKING PROCESS
The CPPA initiated the rulemaking process in November 2024. The regulations received substantial input from stakeholders, including technology companies, civil society, and government officials. Proposed rules around ADMT proved to be an especially thorny issue, with many commentators, including California Governor Gavin Newsom, urging the CPPA to be mindful of promulgating rules that may stifle innovation in the artificial intelligence (“AI”) field. The final rules narrow the scope of certain requirements with respect to ADMT by removing references to AI and behavioral advertising in the ADMT context, expanding the scope of when businesses can use ADMT, and scaling back when consumers may opt out of ADMT. The final regulations also phase in compliance obligations for cybersecurity audits over a number of years.
Adoption of the final text of the regulations comes on the heels of the Trump administration’s release of “America’s AI Action Plan,” which seeks to promote innovation over regulation in the AI field. The AI Action Plan recommends federal agencies’ “AI-related discretionary funding” consider a state’s regulatory climate when making funding decisions and limit funding if the state’s regulatory regimes could hinder the effectiveness of the funding. Although an executive order responsive to that particular AI Action Plan policy recommendation has not yet been released, the new ADMT regulations may set up future disputes with the Trump administration over regulation in the AI space. For more information on the AI Action Plan, please see our Client Alert: Innovation Over Regulation—Trump Unveils America’s AI Action Plan.
KEY REGULATORY UPDATES AND REQUIREMENTS
Automated Decisionmaking Technology (“ADMT”)
- Scope and Definitions: ADMT is defined as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.” To substantially replace human decisionmaking means to use ADMT output to make a decision without human involvement. Human involvement requires a human reviewer to: (a) know how to interpret and use the ADMT’s output to make a decision; (b) review and analyze the output of the technology, and any other information that is relevant to make or change the decision; and (c) have the authority to make or change the decision. In general, the regulations’ requirements with respect to ADMT apply to businesses that use ADMT to make a “significant decision” about a consumer. A significant decision is one that is a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services. ADMT also expressly excludes firewalls, anti-malware, calculators, databases, spreadsheets, and certain other tools, provided they do not replace human decision making. This definition could capture agentic and other types of AI used by businesses, depending on how such AI technologies are deployed.
- Notice Requirement: Businesses that use ADMT to make a significant decision must provide consumers with a pre-use notice at or before the point of collection that provides a plain language explanation of the specific purpose for which the business plans to use the ADMT.
- Consumer Rights: Consumers have the right to opt out of, and access information about, ADMT used for significant decisions affecting them. Businesses are not required to provide consumers with the ability to opt out if the business provides the consumer with a method to appeal the decision to a human reviewer who has authority to overturn the decision and where the ADMT is used for admission or acceptance, or for hiring decisions and allocation of work assignments, provided it does not result in unlawful discrimination based on protected characteristics.
- Risk Assessments for ADMT: Businesses must conduct risk assessments when using ADMT for significant decisions or for certain training purposes, with requirements to document the categories of personal information processed and the logic of the system.
Cybersecurity Audits
- Applicability and Scope: The regulations require annual cybersecurity audits for businesses whose processing of personal information presents a “significant risk” to consumers’ privacy or security. Under the regulations, processing presents “significant risk” if, in the preceding calendar year, a business derived 50 percent or more of its annual revenue from selling or sharing personal information, or if a business had revenue exceeding $26,625,000 in annual gross revenue (indexed for inflation) and processed the personal information of 250,000 or more California residents or the sensitive personal information of 50,000 or more California residents.
- Audit Standards and Independence: Cybersecurity audits must be conducted by qualified, objective, and independent professionals, either internal or external. Internal auditors must report to executive management not responsible for cybersecurity, rather than to the board of directors as previously proposed.
- Audit Content: The audit must assess a comprehensive list of cybersecurity controls, including multifactor authentication, encryption, access controls, data inventory, secure configuration, patch management, vulnerability scanning, logging, and training. The auditor determines which controls are applicable, considering the business’s size, complexity, and processing activities.
- Reporting and Certification: Businesses are not required to submit audit reports to the CPPA but must annually certify completion of the audit. The agency and the Attorney General retain authority to request audit reports during investigations.
- Implementation Timeline: Compliance is phased in based on business size, with the earliest audits due by April 1, 2028, for the largest businesses with annual gross revenue of $100 million; April 1, 2029, for businesses with annual gross revenue between $50 million and $100 million, and by April 1, 2030, for smaller businesses.
Risk Assessments
- Triggering Activities: Risk assessments are required for activities that present a “significant risk” to consumers privacy. Such activities include selling/sharing personal information, processing sensitive personal information, using ADMT for “significant decisions,” using personal information to train ADMT for certain uses, and automated processing to infer attributes in employment or educational contexts.
- Assessment Requirements: Businesses must perform data inventories to identify and document the personal information processed for the activities, and the specific purposes for which such data is processed. Businesses are also required to document the benefits and negative privacy impacts relating to the processing, and safeguards used by the business in connection with the processing. Businesses required to conduct risk assessments may be able to leverage risk assessments conducted for other legal regimes, provided they meet CCPA standards.
- Submission and Certification: Annual submission of risk assessment information is required, including the number of risk assessments conducted during the period covered by the submission, the categories of personal information covered by the risk assessments, and attestations under penalty of perjury.
Other Notable Provisions
- Insurance Companies: The rules clarify the application of CCPA to insurance companies, providing examples of when information is or is not subject to the Act.
- Definitions and Clarifications: The regulations update definitions, including “sensitive personal information” (now including neural data), “significant decision,” and “sensitive location,” and remove or revise terms such as “artificial intelligence” and “behavioral advertising” for internal consistency.
LOOKING AHEAD
The regulations must be approved by the California Office of Administrative Law before taking effect. The CPPA has indicated that the rules may be revisited as technology and business practices evolve.
Businesses subject to the CCPA should review the final regulations, assess their applicability, and begin preparing for phased compliance with cybersecurity audit, risk assessment, and ADMT requirements. The new cybersecurity audit provisions will help define how companies must safeguard personal information to meet their obligations under the law to provide “reasonable” security, and businesses subject to other laws impacting AI, such as the European Union’s AI Act and the Colorado AI Act, will need to determine how to craft compliance strategies that work for the business across each applicable regulatory regime.