California Privacy Protection Agency Finalizes New Regulations Under CCPA
On July 24, 2025, the California Privacy Protection Agency (CPPA) finalized a significant set of regulations under the California Consumer Privacy Act (CCPA). These new rules address critical areas such as cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). Following an extensive and often contentious rulemaking process, these regulations mark a pivotal evolution in California’s data privacy and security landscape, with far-reaching implications for businesses operating within the state.
Background and Rulemaking Process
The CPPA initiated its rulemaking process in November 2024, engaging a diverse array of stakeholders, including technology companies, civil society organizations, and government officials. The proposed rules surrounding ADMT emerged as particularly contentious, with various commentators, including California Governor Gavin Newsom, urging the CPPA to balance regulatory oversight with the need to foster innovation in the artificial intelligence (AI) sector.
In response to these concerns, the final regulations have narrowed the scope of certain requirements related to ADMT. Notably, references to AI and behavioral advertising have been removed, expanding the circumstances under which businesses can utilize ADMT and scaling back the conditions under which consumers may opt out. Additionally, compliance obligations for cybersecurity audits will be phased in over several years, allowing businesses time to adapt.
The adoption of these regulations coincides with the Trump administration’s release of "America’s AI Action Plan," which emphasizes promoting innovation over regulation in the AI field. This plan suggests that federal agencies consider a state’s regulatory climate when making funding decisions, potentially limiting funding for states with stringent regulations. As such, the new ADMT regulations may set the stage for future disputes with federal authorities regarding AI regulation.
Key Regulatory Updates and Requirements
Automated Decision-Making Technology (ADMT)
Scope and Definitions:
ADMT is defined as any technology that processes personal information to replace or significantly reduce human decision-making. The regulations specify that a "significant decision" involves critical areas such as financial services, housing, education, employment, and healthcare. Importantly, the definition excludes basic tools like firewalls and spreadsheets, focusing instead on more complex AI systems.
Notice Requirement:
Businesses utilizing ADMT for significant decisions must provide consumers with a clear pre-use notice at or before the point of data collection, explaining the specific purpose of the ADMT.
Consumer Rights:
Consumers have the right to opt out of ADMT and access information regarding its use in significant decisions. However, businesses are not required to offer an opt-out option if they provide a method for consumers to appeal decisions to a human reviewer.
Risk Assessments for ADMT:
Businesses must conduct risk assessments when using ADMT for significant decisions, documenting the categories of personal information processed and the logic behind the system.
Cybersecurity Audits
Applicability and Scope:
Annual cybersecurity audits are mandated for businesses whose processing of personal information poses a "significant risk" to consumer privacy. This includes businesses that derive a substantial portion of their revenue from selling or sharing personal information or those with significant annual revenue and large consumer bases.
Audit Standards and Independence:
Cybersecurity audits must be conducted by qualified, independent professionals. Internal auditors must report to executive management rather than the board of directors, ensuring objectivity.
Audit Content:
Audits will assess a comprehensive range of cybersecurity controls, including multifactor authentication, encryption, access controls, and vulnerability management. The auditor will determine which controls are applicable based on the business’s size and complexity.
Reporting and Certification:
While businesses are not required to submit audit reports to the CPPA, they must annually certify the completion of the audit. The agency retains the authority to request audit reports during investigations.
Implementation Timeline:
Compliance will be phased in based on business size, with deadlines ranging from April 1, 2028, for larger businesses to April 1, 2030, for smaller entities.
Risk Assessments
Triggering Activities:
Risk assessments are required for activities that present a significant risk to consumer privacy, including the sale of personal information and the use of ADMT for significant decisions.
Assessment Requirements:
Businesses must conduct data inventories to document the personal information processed and the purposes for which it is used. They must also evaluate the benefits and potential negative privacy impacts of their processing activities.
Submission and Certification:
Annual submissions of risk assessment information are required, including attestations under penalty of perjury.
Other Notable Provisions
The regulations clarify the application of the CCPA to insurance companies and update definitions, including "sensitive personal information" and "significant decision." Notably, terms like "artificial intelligence" and "behavioral advertising" have been revised for internal consistency.
Looking Ahead
Before taking effect, the regulations must be approved by the California Office of Administrative Law. The CPPA has indicated that these rules may be revisited as technology and business practices evolve.
Businesses subject to the CCPA should carefully review the final regulations, assess their applicability, and begin preparing for phased compliance with the new requirements. The cybersecurity audit provisions will help define how companies must safeguard personal information to meet their legal obligations. Additionally, businesses affected by other laws impacting AI, such as the European Union’s AI Act, will need to navigate compliance strategies that align with multiple regulatory frameworks.
In conclusion, the CPPA’s finalized regulations represent a significant step forward in California’s approach to data privacy and security, balancing the need for consumer protection with the imperative of fostering innovation in a rapidly evolving technological landscape.