Vault Door

California Finalizes CCPA Regulations on Automated Decision-Making Technology, Risk Assessments, and Cybersecurity Audits

By Mari S. Clifford and Scott C. Hall

In July 2025, the California Privacy Protection Agency (CPPA) adopted final regulations governing automated decision-making technology (ADMT), privacy risk assessments, and cybersecurity audits under the California Consumer Privacy Act (CCPA). The final vote by the CPPA Board took place on July 24, following over a year of drafting and public comment.

The regulations now await approval by California’s Office of Administrative Law (OAL). If the agency files them by the August 2025 deadline, they may become operative as early as December 1, 2025. Otherwise, the effective date will default to January 1, 2026. Businesses should not mistake this recalibration for retreat. The rules establish a practical but enforceable compliance regime—particularly for companies leveraging algorithmic tools, engaging in high-risk processing, or navigating overlapping state and global privacy frameworks.

Recalibrating the Definition and Scope of ADMT

The CPPA’s final rules significantly narrow the scope of ADMT obligations to cases where technology “replaces or substantially replaces human decision making,” removing explicit references to artificial intelligence and behavioral advertising use cases. This is a meaningful departure from the earlier, more expansive draft, which included tools that merely “facilitated” decisions or referenced artificial intelligence more broadly.

Under the revised rules, businesses are only subject to ADMT obligations when the technology is used to make “significant decisions,” defined as those affecting financial services, employment, housing, education, or healthcare, or when they engage in certain types of profiling or train models for such use cases. Many previously covered scenarios, such as first-party advertising or public observation, have been removed entirely from the rule’s opt-out and notice requirements.

Additionally, businesses no longer need to issue standalone “pre-use” notices. Instead, the revised rules allow them to integrate ADMT disclosures into existing notices at collection, easing administrative overhead while preserving transparency obligations.

Narrowing Consumer Rights and Expanding Business Flexibility

In line with its refined scope, the CPPA has pared back many of the consumer rights included in the original ADMT draft. Opt-out rights no longer apply to workplace or education profiling, public surveillance, or ADMT training activities. Instead, the rules focus on scenarios where ADMT is used to make determinations about core life opportunities—such as being hired, admitted to a school, or approved for a loan.

For these remaining “significant decision” use cases, businesses must provide a mechanism for consumers to opt out, or, in some cases, provide an appeal process reviewed by a qualified human decisionmaker. The rules also introduce specific safeguards for
biometric profiling and emotion-recognition systems, including accuracy evaluations and nondiscrimination audits.

Importantly, the final version of the rules appears likely to retain access rights to ADMT outputs, logic summaries, and decision making factors—but businesses will not be required to disclose trade secrets or details that could compromise fraud or safety defenses.

Cybersecurity Audits: Scaled by Revenue, Governed by Independence

The CPPA has also finalized a more risk-based and scalable cybersecurity audit framework. Under the revised draft, businesses that (i) meet the data broker threshold or (ii) process personal information of 250,000 consumers (or sensitive data of 50,000 consumers) must conduct an annual cybersecurity audit starting between 2028 and 2030, depending on revenue tier.

Audits must follow recognized professional standards and be certified by an executive responsible for cybersecurity. Auditors may be internal or external, but must be structurally independent. Key updates include:

  • Businesses are no longer required to justify omitted safeguards (e.g., zero-trust architecture) or assess controls deemed inapplicable.
  • Reports now require detailed explanations of any security gaps, plus a remediation plan, and must be retained for five years.
  • A certification of audit completion must be submitted annually to the CPPA, beginning April 1, 2028, for larger entities.
  • Internal auditors may now report directly to senior management, rather than the board, so long as they remain structurally independent from the cybersecurity function.

This flexible structure is intended to support scalability across organizations while preserving the CPPA’s ability to scrutinize audit content and governance rigor.

Risk Assessments: From Intrusive to Interoperable

In a move praised by industry stakeholders, the CPPA has also walked back some of the more onerous elements of its proposed risk assessment requirements. Most notably:

  • Full submissions are no longer required. Instead, businesses must retain the assessment and file only a certification and brief summary of key facts with the CPPA starting in 2028.
  • Risk assessments are now required before a business (1) sells or shares personal information, (2) processes sensitive personal information, (3) uses ADMT for a significant decision concerning a consumer, (4) uses automated processing to infer attributes about an educational or job applicant, student, employee, or independent contractor, (5) uses automated processing to infer attributes based on a person’s presence in a sensitive location, such as a medical facility, shelter, or place of worship, or (6) trains ADMT for any of those uses.
  • Assessments must address detailed elements (purpose, types of personal information, specific processing operations, safeguards, stakeholder contributors, approver identity, and risks/benefits) and be approved by the business decision maker responsible for that activity. They must be reviewed at least every three years, or within 45 days of a material change to the processing activity. Starting April 1, 2028, businesses must annually report to the CPPA the number of risk assessments conducted, the types of processing activities and personal information involved, and submit an executive attestation, under penalty of perjury, that the assessments were completed.

Strategic Implications and Compliance Planning

These revised rules offer clearer paths for operationalization but shorten the lead time for implementation. Businesses that rely on ADMT or engage in high-volume or sensitive data processing should prioritize the following steps in the months ahead:

  • ADMT Mapping: Inventory current assessments and incorporate the new CCPA triggers by year end.
  • Privacy Risk Framework Integration: Evaluate whether existing DPIAs or AI assessments can be adapted to meet CCPA criteria. This is particularly critical for training use cases.
  • Audit Preparation: Assign ownership for cybersecurity compliance and begin gap-mapping against the CPPA’s control expectations, especially if audit certification deadlines fall in 2028 or 2029.\
  • Executive Readiness: Socialize the upcoming CPPA attestation requirement with your executive team and secure resources for the 2026-27 assessment cycle.

Takeaways for Businesses

The CPPA’s latest rulemaking reflects a maturation of the CCPA framework, shifting the regulatory emphasis from consumer self-help to enterprise accountability. While the approved rules are more targeted and feasible than earlier drafts, they still demand robust documentation, governance, and strategic alignment across legal, privacy, and security teams.

The CPPA Board signaled it may revisit these rules as technology and market practices evolve, so anticipate further iterative adjustments.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.