California’s most recent revisions to the California Consumer Privacy Act (CCPA) regulations mark a significant expansion of the State’s privacy framework.
On September 22, 2025, the California Office of Administrative Law (OAL) approved a package of CCPA regulations proposed by the California Privacy Protection Agency (CPPA), which took effect on January 1, 2026. The regulations introduce new obligations related to automated decision-making technology (ADMT), risk assessments, and cybersecurity audits for covered businesses.
While compliance deadlines roll out in phases beginning in 2027 through 2030 (see Key Dates below), the extended timelines reflect regulators’ recognition that compliance requires substantial upfront work to understand and operationalize an organization’s data-governance and risk posture. Beginning now is critical to ensure the visibility, controls, and documentation needed to meet future reporting, attestation, and audit obligations.
Below we outline the key changes and practical steps organizations can take now to prepare for future reporting.
Regulatory Compliance Requirements
ADMT
Who must comply: When automated systems are used to make “significant decisions” impacting consumers, they fall within the scope of the ADMT reporting requirements. The regulations define “significant decision” as “a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.” See Final Regulations Text, § 7001 (ddd). Targeted advertising alone is not a “significant decision.”
Compliance timeframe: If ADMT was used for significant decisions prior to January 1, 2027, requirements must be in place by January 1, 2027. ADMT deployed on or after January 1, 2027 must comply prior to first use.
What compliance looks like:
- Pre-use notice at the point of decision explaining purpose, data categories, and rights.
- Opt-out where an exception does not apply; communicate exceptions (e.g., fraud prevention) plainly.
- Access and explanation on request, including inputs used and the rationale for use.
- Appeal process with human review and defined timelines.
- Risk assessment before training or using ADMT for significant decisions and upon material change.
Cybersecurity Audits
Who must comply: Businesses engaged in data processing activities that pose a “significant risk” to consumer security. A “significant risk” is present if the business generates more than 50% of revenue from selling/sharing personal information, or if prior year revenue is more than $25M and the entity processed the personal information of 250,000+ consumers or processed the sensitive personal information of 50,000+ consumers.
Compliance timeframe: Companies with annual gross revenue exceeding $100 million must submit their first cybersecurity audit certification and related materials required by the regulations no later than April 1, 2028. Companies with annual gross revenue between $50 million and $100 million must submit their first certification and related materials no later than April 1, 2029, and companies with annual gross revenue below $50 million must submit their first certification and related materials no later than April 1, 2030.
What compliance looks like: The regulations presume the existence of a cybersecurity program for covered entities. With regard to the audit of the cybersecurity program, the regulations require:
- Qualified, objective auditor internal or external to the business, but free to make decisions and judgment without influence from the business being audited. Where an internal auditor is used, the regulations outline a procedure to ensure the auditor maintains independence.
- Industry standard audit as provided or adopted by the American Institute of Certified Public Accountants, the Public Company Accountability Oversight Board, the Information Systems Audit and Control Association, or the International Organization for Standardization.
- Full cooperation by the entity being audited, including (1) making available all information requested, (2) good faith disclosure of all relevant facts, and (3) no factual misrepresentations.
- Audit report contents are prescribed by 11 CCR § 7123. The written audit report must describe the systems, criteria, and evidence reviewed; identify applicable components; detail gaps and remediation timelines; note corrections to prior reports; list up to three responsible roles; identify the auditor and qualifications; include a signed independence statement; and, if applicable, reference breach notices made during the period. Specific elements to be evaluated, as applicable, are further prescribed in the regulatory text. A business may reuse another audit if, alone or with supplements, it fully satisfies § 7123’s requirements.
- Report provided to executive management and retained for a minimum of five (5) years after completion of the audit.
Risk Assessments
Who must comply: Businesses whose processing of consumer personal information presents “significant risk” to consumers’ privacy. Processing constitutes “significant risk” where the business sells or shares personal information, processes sensitive personal information, trains or uses ADMT for “significant decisions,” uses biometrics for identity verification or profiling, or makes automated inferences in sensitive contexts.
Compliance timeframe: For covered processing activities that began before January 1, 2026 and continue on or after that date, assessments must be completed by December 31, 2027. Annual summary reporting to the CPPA begins April 1, 2028.
What compliance looks like: Businesses must conduct a risk assessment with attestation before starting any processing of personal information that presents a “significant risk” to consumer privacy.
- Stakeholder involvement: The regulations require the involvement of employees whose job duties include participating in the processing of personal information that would be subject to a risk assessment. Additionally, businesses are expected to involve vendors, service providers, experts, and other relevant third parties to gather necessary information for the assessment. Notably, the regulations include in this list “experts in detecting and mitigating bias in ADMT.”
- Risk assessment report contents: The risk assessment report must identify and document:
- Business purpose for processing: State a specific, non-generic purpose and the minimum necessary categories of personal (and sensitive) information to achieve that purpose.
- Operational elements: Collection/use/disclosure/retention methods and sources, retention periods or criteria, interaction channels and purposes, approximate consumer counts, disclosures/notices, recipients (service providers/contractors/third parties) and purposes; and for ADMT, the logic (with assumptions/limitations), outputs, and how outputs are used for significant decisions.
- Weigh anticipated benefits and negative impacts: Including sources/causes—e.g., unauthorized access or loss of availability, unlawful discrimination, loss of control or coercion/dark patterns, and economic, physical, reputational, or psychological harms.
- Safeguards to mitigate anticipated negative impact: Including technical controls, privacy-enhancing technologies, expert consultation/monitoring, and policies/training for lawful, non-discriminatory ADMT.
- Ultimate decision: On consideration of other required elements, the organization must document and justify its decision to proceed.
- Contributors and approvers: Must list contributors (excluding legal counsel), record the review and approval date for the decision, and identify the approvers with authority to decide whether to initiate the processing.
Key Dates to Calendar for ADMT, Audits, and Risk Assessments
- January 1, 2026 — Regulations effective; prospective risk-assessment duties apply.
- January 1, 2027 — ADMT requirements apply; ADMT used for significant decisions prior to this date must be brought into compliance, and ADMT deployed thereafter must comply prior to first use.
- December 31, 2027 — Complete initial risk assessments for covered pre-January 1, 2026 processing that continues on or after that date.
- April 1, 2028 — First annual risk-assessment summary report due; first cybersecurity audit submissions for companies with 2026 revenue above $100M.
- April 1, 2029 / April 1, 2030 — Subsequent cybersecurity audit submissions for companies with 2026 revenue of $50–100M and under $50M.
Our team supports covered entities end-to-end across all three areas—ADMT, cybersecurity audits, and risk assessments. We bring cross-functional expertise and provide practical deliverables depending on your organizational needs. If you would like help standing up or refining your program, reach out to Brittney Mollman or Luke Sosnicki for further information.
