Understanding the New California Consumer Privacy Act Regulations

Executive Summary

On September 23, 2025, the California Office of Administrative Law approved significant regulations under the California Consumer Privacy Act (CCPA), introducing a comprehensive framework for how businesses handle personal information from California consumers. These regulations, which take effect on January 1, 2026, establish mandates concerning consent procedures, privacy disclosures, risk assessments, and cybersecurity audits.

What’s New

The regulations specifically address businesses that utilize automated decision-making technology (ADMT) for significant decisions, mandating detailed documentation and governance for data processing activities. This proactive approach not only safeguards consumer privacy but also clarifies existing requirements under the CCPA.

Why It Matters

With these new regulations, companies must adapt quickly, mapping out their current and anticipated use of ADMT and preparing for the impending requirements. This restructuring of governance signifies a marked evolution in how consumer data is managed in California.

The New Compliance Landscape

The recently finalized regulations create three significant areas of compliance:

1. Obligations for Businesses Using ADMT: Firms must comply with specific guidelines when making important decisions about consumers using automated systems.
2. Risk Assessments: Mandatory evaluations are needed for certain high-risk processing activities, ensuring consumer data is handled responsibly.
3. Cybersecurity Audits: Annual audits will be required, focused on businesses that present a significant risk to consumer data security.

These requirements will unfold over several years, but businesses must begin addressing them promptly to ensure compliance.

Automated Decision-Making Technology (ADMT)

A focal point of the new regulations is the scrutiny of ADMT, defined as technology that processes personal information to substantially replace human decision-making. This encompasses significant decisions spanning finances, housing, education, employment, and healthcare. Notably, advertising is excluded from this definition.

Key Obligations for ADMT Use

Starting April 1, 2027, businesses deploying ADMT for significant consumer decisions must:

• Conduct a risk assessment prior to implementation.
• Notify consumers about the business’s use of ADMT in these decisions.
• Provide an opt-out option for consumers with specified exceptions.
• Allow consumers to access information regarding how ADMT functions and its decision-making processes.
• Offer avenues for consumers to appeal decisions made by ADMT.

This framework not only promotes transparency but also empowers consumers to take control over their personal information.

Risk Assessments

Businesses that follow the CCPA must conduct risk assessments that evaluate potential negative impacts on consumer privacy prior to engaging in processing activities deemed to pose significant risks. Triggering activities include:

• Selling or sharing personal information for behavioral advertising.
• Processing sensitive personal information.
• Using ADMT for significant consumer decisions.
• Profiling consumers in specific contexts, such as education and employment.

Risk assessments must explore the potential for discrimination, economic harm, reputational damage, and affect customers’ ability to make informed choices.

Timeframes for Compliance

Initial assessments for ongoing processing activities must be completed by December 31, 2027. Businesses are also required to report relevant information about these assessments to the California Privacy Protection Agency (CPPA) by April 1, 2028.

Cybersecurity Audits

Another cornerstone of the regulations mandates annual independent cybersecurity audits if a business poses a significant risk to consumer security. Here’s how "significant risk" is defined:

• Companies deriving 50% or more of their annual revenue from selling or sharing personal information.
• Firms earning over $25 million annually that process a substantial volume of personal information (e.g., over 250,000 consumers).

Audit Requirements

These audits are to be conducted by qualified professionals using recognized standards, culminating in a detailed report that outlines the cybersecurity program, measures, policies, and findings. Compliance ensures businesses safeguard consumer data effectively.

The phased schedule for audit implementation based on revenue thresholds begins as follows:

• April 1, 2028, for businesses exceeding $100 million in 2026 revenue.
• April 1, 2029, for those with $50 million to $100 million in 2027 revenue.
• April 1, 2030, for businesses with less than $50 million in 2028 revenue.

Steps to Prepare

As these regulations reshape California’s privacy landscape, businesses must take proactive measures to ensure compliance:

• Evaluate ADMT Usage: Inventory current and planned ADMT applications, especially in areas such as hiring and fraud detection.
• Prepare for Risk Assessments: Develop frameworks and templates to assess and document high-risk processing activities ahead of time.
• Review Cybersecurity Programs: Ensure current programs align with the core components required in upcoming audits.
• Update Consumer-Facing Materials: Revise privacy notices and data subject rights processes to comply with the new regulations effectively.

Businesses must recognize these changes as an opportunity to strengthen their governance frameworks, ultimately fostering trust and accountability in their handling of consumer data.