California Privacy Protection Agency Adopts New Regulations: A Game Changer for CCPA Compliance

On July 24, 2025, the California Privacy Protection Agency (CPPA) made headlines by unanimously voting to adopt a comprehensive package of Proposed Regulations for the California Consumer Privacy Act (CCPA). This pivotal decision marks a significant evolution in California privacy law, introducing new requirements that will impact businesses across various sectors. The regulations focus on Automated Decision-making Technology (ADMT), mandatory cybersecurity audits, risk assessments, and clarifications regarding the applicability of the CCPA to insurance companies. As these regulations move into their final review stage before formal enactment, businesses must prepare for a new era of privacy compliance.

CCPA Steering Toward Operational Compliance

The adoption of these regulations signals a shift toward a more operational phase of privacy compliance in California. The new rules aim to empower Californians with greater control over their personal information while pushing businesses to enhance transparency and accountability, particularly in the realm of automated decision-making and high-risk data processing. For companies, this is not merely a theoretical update; it is a clarion call to integrate these requirements into their daily governance, technology, process design, and vendor management practices.

Automated Decision-Making Technology in Focus

One of the most notable aspects of the new regulations is the establishment of a compliance framework for businesses that utilize ADMT to make “significant decisions” about consumers. In a key change, the CPPA’s latest draft removes all references to “artificial intelligence,” indicating that broader AI policy will be addressed in future legislation. However, the substance of the rules aligns closely with Colorado’s Artificial Intelligence Act, providing a welcomed consistency for companies operating across state lines.

Under the new regulations, businesses are required to provide a Pre-Use Notice that details the specific decision being made, the categories of personal information used, and the consumer’s right to opt out or appeal. There are limited exceptions where meaningful human review is already part of the decision-making process. These disclosures can be integrated into existing Notices at Collection, minimizing redundancy. For many companies, the critical step will be to inventory their use of ADMT, including third-party vendor tools, and ensure that documentation and oversight are robust enough to withstand regulatory scrutiny.

Cybersecurity Audits and Risk Assessments for “Significant Risk” Processing

Another operational impact of the new regulations is the requirement for mandatory cybersecurity audits for companies that meet specific revenue or data volume thresholds. Phased deadlines for compliance will begin in 2028, followed by annual certification requirements. Audits must be conducted by independent, qualified professionals—either internal or external—against recognized standards, focusing on evidence-based testing of security controls rather than mere management attestations. The regulations specify criteria for the independence and qualifications of such auditors.

The rules outline specific program elements subject to review, including multi-factor authentication, encryption, access controls, vulnerability testing, incident response, and vendor oversight. Businesses must document remediation plans for any identified gaps and retain audit records for five years.

Risk assessments will be triggered for activities that present “significant risk” to consumer privacy, such as selling or sharing personal information, processing sensitive data, using ADMT for significant decisions, and inferring consumer traits through automated processing. These assessments must evaluate risks against benefits, document data flows and safeguards, and be updated at least every three years or whenever material changes occur. For most organizations, the practical challenge will be to build scalable audit and risk assessment programs that can accommodate multiple processing activities while harmonizing with other state and federal frameworks.

Application to Insurance Companies

The new regulations also clarify how the CCPA applies to insurance companies and related entities. The term “insurance company” is defined broadly to include carriers, agents, and insurance-support organizations, while drawing a clear distinction between data governed by the Insurance Code and data subject to the CCPA.

If personal information is collected outside of an insurance transaction, insurers that meet the CCPA’s “business” threshold must fully comply. This includes employee and applicant data, marketing datasets, and website visitor information unrelated to policy applications or claims. In these cases, insurers must provide Notices at Collection, honor opt-outs (including preference signals), and treat employees as covered consumers under the CCPA.

Conversely, personal information processed strictly within the scope of an insurance transaction remains governed by the Insurance Code and is excluded from CCPA coverage. For large carriers, this means maintaining parallel compliance tracks: one under insurance regulations for policy and claims data, and another under the CCPA for ancillary data collection, employment records, and digital marketing activities.

Practical Next Steps for Businesses

With final approval of the regulations likely, companies should act swiftly to assess and prepare for these new obligations:

1. Map Automated Decision-Making: Inventory all uses of ADMT and profiling, evaluate whether they meet the “significant decision” threshold, and develop pre-use notices to fulfill disclosure requirements. This should be integrated into existing data mapping efforts for CCPA compliance.

2. Conduct Risk Assessments: Identify high-risk processing activities and sensitive data flows, designing a risk assessment process that documents purpose, proportionality, and safeguards. The results should align with controls that mitigate identified risks, supporting relevant cybersecurity audits.

3. Plan for Cybersecurity Audits: For organizations processing large volumes of personal or sensitive data, begin developing an annual cybersecurity audit framework capable of producing evidence-based reports. This includes identifying and retaining qualified personnel to conduct these audits.

4. Update Privacy Notices and DSAR Processes: Revise privacy notices to address ADMT use, strengthen identity verification procedures, and ensure opt-out mechanisms function as required.

5. Review Vendor and Partner Contracts: Ensure service provider agreements align with the new requirements for purpose limitation, downstream obligations, and audit rights.

6. Update Documentation and Retention Practices: Develop internal templates and repositories for audit reports and risk assessments, as these will likely be focal points in any CPPA enforcement actions.

Preparing for What Comes Next

Although the regulations have one more procedural step before becoming final, the CPPA’s unanimous vote makes adoption highly probable. For organizations handling data of California residents, it is time to transition from awareness to readiness. These updates not only expand privacy rights but also elevate the compliance bar across governance, security, and technology design in ways that will resonate throughout the U.S. market.

This theme aligns with the CPPA’s recent enforcement actions, which emphasize that businesses bear the responsibility for CCPA compliance, even when utilizing privacy management tools. The new regulations reinforce the message that operational soundness, continuous testing, and real-world execution are no longer optional; they are the baseline for CCPA compliance moving forward.

The content of this article serves as a general guide to the subject matter. Specialist advice should be sought regarding specific circumstances.