Privacy update: CCPA/CPRA regulations finalized

On July 24, 2025, the California Privacy Protection Agency Board (CPPA) unanimously voted during its board meeting to finalize a long-awaited regulations package under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). These rule changes address the use of automated decision-making technology (ADMT), risk assessments and cybersecurity audits, also providing clarity on important compliance timelines.

How this impacts you

1. ADMT: The CPPA’s finalized regulations have significantly clarified ADMT regulations, narrowing their scope to only those technologies that replace or substantially replace human decision-making when used for significant decisions affecting consumers, such as employment eligibility screening, credit approval, healthcare treatments and housing decisions. Note that significant decisions no longer include behavioral advertising, which the initial regulations proposed, that would have encompassed first-party advertising activities. This targeted scope narrows compliance obligations primarily to critical, high-stakes decisions rather than routine business support processes.
   
   The finalized regulations further clarify the scope of consumers’ ADMT opt-out rights, specifically by expanding several exceptions where a business does not need to provide the right to opt out of ADMT. For example, if a business provides a human reviewer to review an output from a qualified ADMT process or system and allows the consumer to appeal a significant decision made by ADMT, the consumer will not have the right to opt out of ADMT.
   
   
2. Risk assessments and annual attestations: The finalized CPPA regulations now require comprehensive risk assessment reports, which function similarly to traditional Privacy Impact Assessments (PIAs) and are triggered to address specific processing activities that present significant risk to a consumer’s privacy. The finalized regulations explicitly define the following processing activities that would require organizations to carry out a risk assessment:
   
   
   • Processing any sensitive personal information, as defined by CCPA/CPRA (with a limited exemption for employee compensation and benefits).
   • Profiling based on sensitive location activities, which means situations where organizations rely on a consumer’s presence in a sensitive location (e.g., hospitals, schools, places of worship or political party offices) to infer or extrapolate a consumer’s preferences, behaviors, and other activities.
   • ADMT training or use, specifically in situations where an organization uses ADMT for a significant decision concerning a consumer or where an organization intends to process consumers’ personal information to train an ADMT that will render a significant decision (e.g., facial recognition or identity verification).
   • “Selling or sharing” personal information in a way that introduces significant risk to a consumer’s privacy (especially if involving third parties or data brokers).
     
   
   The finalized regulations also clarify the risk assessment requirements. Organizations with an established PIA program and assessment templates will find that they similarly compare with the risk assessment requirements, but the new requirements introduce their own unique nuances, such as additional accountability assigned to the “reviewer and approver” of the PII processing. The requirements for a compliant California risk assessment are summarized below:
   
   
   • A detailed description of the processing purpose, including how personal information is collected, used, disclosed and retained.
   • Categories of personal information to be processed, including sensitive personal information.
   • Operational elements of the processing, including ADMT logic and its outputs, the approximate number of consumers, and categories of service providers, contractors or third parties.
   • A transparent risk-benefit analysis, which clearly evaluates negative impacts to consumers’ privacy versus benefits to the business, consumers and the public interest.
   • Safeguards planned to reduce risk and mitigate any negative impacts identified in the risk-benefit analysis.
   • Designated personnel who reviewed and approved the risk assessment, except for legal counsel who provide legal advice, as well as the individual with the authority to decide whether the company initiates the processing.
      

   At least once every three years, a business must review its risk assessments and update them as necessary to ensure they remain accurate. If there is a “material change” relating to a processing activity, the risk assessment must be updated within 45 calendar days. Risk assessments, including the original and updated versions, must be retained for as long as the processing activity continues, or for five years after the completion of the risk assessment, whichever is later.
    

3. Cybersecurity audits: The finalized CPPA regulations, similar for risk assessments, clarify when a cybersecurity audit is required. Specifically, an organization must perform a cybersecurity audit if it presents significant risk to consumers’ security, which is triggered if any of the following is true:
   • The organization is a business (as defined under the CCPA) that derives 50% or more of its annual revenues from selling or sharing consumers’ personal information; or
   • The organization is a business (as defined under the CCPA) that had annual gross revenues of more than $25 million in the preceding calendar year and
     • Processed the personal information of 250,000 or more California consumers or households in the preceding calendar year; or
     • Processed the sensitive personal information of 50,000 or more California consumers in the preceding calendar year.
        

   Moreover, the finalized CPPA regulations require that cybersecurity audits be performed by a qualified, objective and independent auditor (internal or external) with knowledge of cybersecurity and how to audit a business’s cybersecurity program.

    

   Furthermore, the finalized regulations give further guidance on audit standards; required audits can be assessed against standards set by the American Institute of Certified Public Accountants (AICPA) or Information Systems Audit and Control Association (ISACA). The finalized regulations also provide that a previous cybersecurity audit that was prepared for another purpose can be used, if it meets the finalized regulation’s requirements, and is explicitly referenced the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework 2.0. Cybersecurity audit requirements are now being structured and timed according to revenue size. Businesses required to perform a cybersecurity audit must complete their first audit between April 2028-2030, with earlier deadlines established for higher revenue businesses.

    

   Lastly, the finalized regulations have created a shift from board-level certification (required in the original proposed CCPA regulations) to certification by a member of the business’s executive management team who has direct responsibility for the business’s cybersecurity audit compliance.

When this goes into effect

Assuming the California Office of Administrative Law (OAL) obtains approval within its 30 business-day review, the regulations will take effect according to statutory timing, between January 1, 2027, and April 1, 2030.

Show image description -->

How to prepare

ADMT

• Carefully evaluate whether ADMT systems or processes making significant decisions that constitute human decision replacement versus mere augmentation, meaning determining whether the ADMT makes a decision without meaningful human oversight or if the ADMT simply assists a human in coming to a decision that can be freely accepted or overridden.
• Review current opt-in/opt-out mechanisms (which were originally implemented for marketing or cookie preferences) and ensure that advanced notice and clear opt-in/opt-out mechanisms for ADMT uses are also included for consumers.
• Begin to educate personnel who design, engage or deploy ADMT.

Risk assessments & annual attestations

• Revisit processing activity inventories to ensure those are maintained with up-to-date information on use cases and triggered appropriately for new types of PII processing.
• Review processing activities that will trigger a risk assessment under the finalized regulations and determine whether existing PIAs need to be modified or re-performed to capture risks not previously identified.
• By early 2026, review existing PIA program and assessment templates, or establish a new process to ensure traceability across the new requirements. Specifically, create a CPPA risk assessment overlay either as a standalone workflow or an enhanced module within an existing PIA solution/workflow.

Cybersecurity audits

• Begin to engage a qualified professional services firm or auditor with proven cybersecurity credentials, specifically with experience in conducting audits against the AICPA Cybersecurity Risk Management Reporting Framework, ISACA standards (e.g., COBIT or Risk IT framework) and NIST CSF 2.0.
• Kick off a cybersecurity audit readiness review, defining clear accountability roles, especially in the executive management team (e.g., CISO and Lead Security Program Manager).
• Review previous cybersecurity audits and assessments with similar levels of scrutiny and leverage those efforts to proactively prepare for California’s requirements.

Make sure you understand the impact of the new CCPA/CPRA regulations, and how to address them, to maintain the trust at the foundation of your business.