Newly Approved CCPA Regulations Have Staggered Deadlines for Compliance
Time 1 Minute Read
Categories: U.S. State Law, Cybersecurity, Enforcement, Online Privacy

On September 23, 2025, the California Privacy Protection Agency (“CPPA”) announced that the California Office of Administrative Law approved the new California Consumer Privacy Act (“CCPA”) regulations on cybersecurity audits, risk assessments, automated decision-making technology (“ADMT”), and insurance companies, with staggered deadlines for compliance.

As noted by the CPPA, the approval marks the culmination of several years of industry and public engagement including multiple hearings and hundreds of public comments.

The regulations take effect on January 1, 2026; however, the deadlines for compliance are staggered for different requirements and business types. 

Cybersecurity Audits

Businesses required to complete cybersecurity audits must submit certifications to the CPPA as follows:

Business Type

Certification Deadline

Businesses making over $100 million

April 1, 2028

Businesses making between $50 million and $100 million 

April 1, 2029

Businesses making less than $50 million

April 1, 2030


Risk Assessments

Businesses subject to risk assessment requirements must begin their compliance by January 1, 2026, and by April 1, 2028, they must submit to the CPPA:

  • An attestation that the required risk assessments were completed; and
  • A summary of their risk assessment information.

ADMT

Businesses using ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027.

Tags: Audit, Automated Decisionmaking, California, CCPA, CPPA, Personal Data, Personal Information, Risk Assessment
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
California Proposes Landmark Labeling Law Targeting UPFs
By and

California has introduced Assembly Bill 2244, proposing a pioneering “California Certified” labeling standard for foods not classified as ultra-processed. The bill relies on forthcoming regulatory definitions and imposes retail placement requirements for qualifying products. As California continues to advance UPF regulation, this initiative is expected to shape food law trends nationwide.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 1 Minute Read
Guardrails for Legal AI: What California’s SB 574 Would Require of Attorneys and Arbitrators

As reported on the Hunton Employment & Labor Perspectives blog, SB 574 is a California bill that would set specific duties for attorneys who use generative artificial intelligence and would restrict how arbitrators may use such tools in decision-making.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page