CCPA’s New Era
A Look at Automated Decision-Making, Risk Assessments, and Cybersecurity Audits
In September 2025, the California Privacy Protection Agency (CPPA) finalized a significant new set of regulations under the California Consumer Privacy Act (CCPA), introducing comprehensive requirements for businesses using automated decision-making technology (ADMT), conducting risk assessments, and performing cybersecurity audits. These rules, effective January 1, 2026 [soon!], mark a major evolution in California’s privacy landscape, aligning the CCPA more closely with other state and international privacy frameworks while also introducing novel compliance obligations.
Key Takeaways
Businesses using ADMT for significant consumer decisions must provide pre-use notices, honor opt-out and access requests, and implement robust governance practices.
Risk assessments are now mandatory for certain high-risk data processing activities, with detailed documentation, regular updates, and annual reporting to the CPPA.
Annual cybersecurity audits are required for businesses whose data processing presents significant security risks, with strict independence and documentation standards.
The regulations clarify insurance companies’ CCPA responsibilities and update several existing transparency and consumer rights provisions.
Automated Decision-making Technology (ADMT): New Consumer Rights and Business Duties
Scope and Applicability
The ADMT regulations apply to businesses using automated systems that replace or substantially replace human decision-making in making “significant decisions” about consumers. Example covered decisions include the provision or denial of financial or lending services, housing, education, employment, or healthcare. Notably, advertising is excluded from the definition of “significant decision.”
The rules set a high bar for what constitutes “human involvement,” requiring active analysis and authority to alter ADMT-driven outcomes. Technologies that merely facilitate (but do not replace) human decision-making, such as spreadsheets, are generally excluded unless they are used to replace human judgment. This focus is on technologies that substantially replace human decision making.
Pre-Use Notice and Transparency
Before using ADMT for significant decisions, businesses must provide consumers with a detailed pre-use notice. This notice must explain the specific purpose of the ADMT, the consumer’s rights to opt out and access information, and how the ADMT affects decision-making. Notices must be clear, specific, and provided at or before data collection or, if data is repurposed, before ADMT use.
Consolidated notices are permitted for multiple ADMT uses or purposes, but each use must be described with sufficient detail to avoid generic disclosures.
Consumer Rights: Opt-Out and Access
Consumers have the right to opt out of ADMT use for significant decisions and to access information about how ADMT was used in their case. Businesses must offer at least two opt-out methods, one of which must match the primary mode of consumer interaction. Opt-out requests must be processed promptly (within 15 business days), and businesses must ensure downstream service providers comply as well.
Certain exceptions apply, such as when a meaningful human appeal process is available or when ADMT is used solely for non-discriminatory hiring or work allocation decisions.
For access requests, businesses must provide plain-language explanations of the ADMT’s purpose, logic, and impact on the consumer, while protecting trade secrets and security-sensitive information.
Timeline
Businesses must comply with ADMT requirements for existing uses by January 1, 2027, and for new deployments prior to implementation after that date.
Risk Assessments: Expanding Accountability
Triggering Activities
Risk assessments are required before engaging in six categories of high-risk processing, including:
Selling or sharing personal information,
Processing sensitive personal information (with certain employment exceptions),
Using ADMT for significant decisions,
Automated profiling based on systematic observation or presence in sensitive locations,
Training ADMT or biometric identification technologies using personal information.
Assessment Content and Process
Assessments must document the purpose, data categories, operational details, benefits, risks, and safeguards of the processing activity. A balancing test is required to weigh consumer privacy risks against the benefits to the business, consumers, and the public.
Stakeholder involvement is mandated, including relevant employees, service providers, and, in some cases, external experts or consumer representatives. Developers of ADMT must provide necessary information to recipient businesses for their own assessments.
Reporting and Recordkeeping
Businesses must submit annual “risk assessment information” (aggregate metrics, not full reports) to the CPPA, with the first submission due by April 1, 2028. Full risk assessment reports must be provided to regulators upon request within 30 days. Assessments must be reviewed at least every three years and updated for material changes, with retention for at least five years or as long as the processing continues. Be careful with this one. While it might initially seem like you can retitle the PIA you have been using for years, that is not the case. The requirements here are prescriptive.
Cybersecurity Audits: Raising the Bar
Applicability and Scope
Annual cybersecurity audits are required for businesses whose data processing presents significant security risks. Audits must evaluate whether the business’s cybersecurity program is appropriate for its size, complexity, and processing activities, and must address specific security components.
Audit Independence and Documentation
Audits must be conducted by qualified, objective, and independent professionals—either internal or external—who are free from conflicts of interest. Audit reports must detail the audit process, findings, gaps, remediation plans, and the qualifications of responsible individuals.
Attestation and Retention
A qualified executive must annually attest to the completion of the audit, with documentation retained for at least five years. While audit reports are not routinely submitted to the CPPA, they must be available for review.
Additional Regulatory Updates
Insurance companies must comply with the CCPA for personal information not covered by the California Insurance Code.
The definition of “sensitive personal information” now includes neural data and information about minors under 16 (children’s data is really having a moment).
New notice requirements apply to data collection via connected devices and in augmented or virtual reality environments.
Updated rules prohibit manipulative design in consent and opt-out processes (symmetry in choice = not requiring more steps than opt in), and strengthen the right to correction (data needs to stay corrected).
Conclusion
The new CCPA regulations bring California’s privacy regime closer to other U.S. state laws and the EU’s GDPR, particularly regarding risk assessments and automated decision-making. However, California’s rules are often more prescriptive and introduce unique requirements, such as mandatory cybersecurity audits and detailed ADMT governance. With new requirements for ADMT, risk assessments, and cybersecurity audits, in scope organizations must act promptly to update their governance frameworks, consumer-facing processes, and vendor management practices ahead of the effective date. Businesses should also monitor ongoing regulatory developments as the CPPA continues to refine California’s privacy landscape.