Privacy & Information Security Law Blog

On July 24, 2025, the California Privacy Protection Agency (“CPPA”) finalized California Consumer Privacy Act (“CCPA”) regulations on automated decision-making technology, risk assessments and cybersecurity audits (the “Regulations”), following a lengthy rulemaking process. The new Regulations will take effect once approved by California’s Office of Administrative Law.

• Automated Decision-Making Technology (ADMT): The Regulations impose stricter requirements on the use of ADMT. For example, businesses must allow consumers to opt out of the use of ADMT when the technologies replace or substantially replace human judgment. The definition of “human involvement” under the Regulations means reviewers must be able to understand and evaluate output generated by ADMT, review the output and alter final decisions.
  • Compliance deadline: January 1, 2027.
• Risk Assessment: Companies must conduct risk assessments when engaged in certain processing, including “selling” or “sharing” personal information (as those terms are broadly defined under the CCPA), processing “sensitive personal information” (as defined under the CCPA), using ADMT to make significant decisions or using personal information to train ADMT, or when using automated technology to infer personal attributes under certain circumstances.
  • Compliance deadline: December 31, 2027.

• Cybersecurity Audits: The Regulations introduce mandatory annual cybersecurity audits that are conducted by qualified, objective, independent professionals using accepted auditing standards (g., standards adopted by the American Institute of CPAs). The Regulations stipulate that such auditors (which may be internal or external to the organization) must have knowledge of cybersecurity and how to audit a business’s cybersecurity program. The audits must assess the business’s cybersecurity program’s compliance with a variety of data security measures, including secure user authentication, encryption of personal information, account management and access controls, inventory and management of personal information, secure configuration of hardware and software, vulnerability scans, penetration testing, audit-log management, network monitoring and defenses, antivirus/antimalware protections, network segmentation, vendor management, data retention schedules, data disposal, incident response, and cybersecurity training, among other items. The audits must provide detailed disclosures, including the scope of the review, policies assessed, criteria applied, and supporting documentation. Businesses must document remediation plans for identified compliance gaps and retain audit records for five years. Businesses must complete and submit to the CPPA a written certificate of compliance by April 1 of the following year.
  • Compliance deadline:
    • April 1, 2028 (for businesses with over $100 million in annual gross revenue)
    • April 1, 2029 (for businesses with annual gross revenue of between $50 million and $100 million)
    • April 1, 2030 (for businesses with annual gross revenue less than $50 million)

To prepare for these new requirements, businesses should:

• ADMT
  • Audit their use of ADMT to determine if it replaces human judgment.
  • Build in a clear consumer opt-out mechanism for ADMT use.
  • Ensure humans can review, understand, and override ADMT decisions.
  • Train personnel on the new ADMT rules and processes.

• Risk Assessments
  • Determine whether the business “sells” or “shares” personal information, processes sensitive personal information, uses personal information to train ADMT, uses ADMT for significant decisions, or uses ADMT to infer consumers’ personal traits.
  • Conduct thorough risk assessments on these activities.
  • Document risks and fix compliance gaps.

• Cybersecurity Audits
  • Engage a qualified auditor with proven cybersecurity knowledge and auditing expertise (either internal or external).
  • Audit the business’s cybersecurity program to ensure it meets the requirements set forth in the Regulations.
  • Prepare detailed audit report that documents the scope of the review, policies assessed, criteria applied, and all supporting documentation.
  • Identify compliance gaps.
  • Create and track remediation plans to fix issues promptly.
  • Complete and submit a written certificate of compliance to the CPPA. Retain all audit records and documentation for 5 years.