Newly Approved CCPA Regulations Have Staggered Deadlines for Compliance
Time 1 Minute Read
Categories: U.S. State Law, Cybersecurity, Enforcement, Online Privacy

On September 23, 2025, the California Privacy Protection Agency (“CPPA”) announced that the California Office of Administrative Law approved the new California Consumer Privacy Act (“CCPA”) regulations on cybersecurity audits, risk assessments, automated decision-making technology (“ADMT”), and insurance companies, with staggered deadlines for compliance.

As noted by the CPPA, the approval marks the culmination of several years of industry and public engagement including multiple hearings and hundreds of public comments.

The regulations take effect on January 1, 2026; however, the deadlines for compliance are staggered for different requirements and business types. 

Cybersecurity Audits

Businesses required to complete cybersecurity audits must submit certifications to the CPPA as follows:

Business Type

Certification Deadline

Businesses making over $100 million

April 1, 2028

Businesses making between $50 million and $100 million 

April 1, 2029

Businesses making less than $50 million

April 1, 2030


Risk Assessments

Businesses subject to risk assessment requirements must begin their compliance by January 1, 2026, and by April 1, 2028, they must submit to the CPPA:

  • An attestation that the required risk assessments were completed; and
  • A summary of their risk assessment information.

ADMT

Businesses using ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027.

Tags: Audit, Automated Decisionmaking, California, CCPA, CPPA, Personal Data, Personal Information, Risk Assessment
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page