The California Privacy Protection Agency (CPPA) recently announced that the California Office of Administrative Law has approved regulations regarding cybersecurity audits, risk assessments, automated decision-making technology (ADMT), insurance companies, and updates to existing CCPA regulations.
The approval concludes a number of years of vigorous engagement with the industry and the public.
The rulemaking process included several hearings and reviewing hundreds of public comments—all of which were carefully considered by the CPPA Board prior to adopting the regulations.
“These rules ensure that Californians continue to have the strongest privacy protections in the country while being responsive to the realities of business implementation. I'm deeply grateful to our team and to members of the public whose contributions helped to shape these regulations,” said Jennifer Urban, Chair of the CPPA Agency Board.
“The regulations provide clarity for businesses, while ensuring strong protections for Californians,” said Phil Laird, General Counsel for the CPPA. “Our goal has always been to give consumers meaningful rights and also provide practical compliance pathways for businesses.”
The regulations go into effect January 1, 2026. But it’s important to note that there’s more time for businesses to comply with some of the new requirements. This includes cybersecurity audits, risk assessments, and requirements for automated decision-making technologies.
Cybersecurity Audits and Certifications
Businesses must complete cybersecurity audits and must submit certifications to the CPPA by:
- April 1, 2028, if the business makes over $100 million;
- April 1, 2029, if the business makes between $50 million and $100 million; or
- April 1, 2030, if the business makes less than $50 million.
Risk Assessments
Businesses subject to risk assessment requirements must start compliance by January 1, 2026. And, by April 1, 2028, they must submit the following to the CPPA:
- An attestation that required risk assessments were completed, and
- A summary of their risk assessment information.
Automated Decision-Making Technology (ADMT)
Businesses that use Automated Decision-Making Technology to make significant decisions are required to comply with the ADMT requirements beginning January 1, 2027.
ADMT is technology that makes decisions, or that a person relies upon to make a decision. It includes “profiling,” which is evaluating consumers by automated means (e.g., using technology to analyze their personality, interests, behavior, or location).
Artificial intelligence (AI) can be ADMT, but not all AI is ADMT.
When a consumer opts out, the business can’t collect, use, disclose, retain, or otherwise process the consumer’s personal information using that ADMT.
The agency says that the final regulations and supporting materials will be posted on the CPPA website as soon as they’re processed.
Bottom Line
Californians have the strongest privacy rights in the nation.
The California Privacy Protection Agency protects Californians’ privacy. Businesses should make certain that they comply with these regulations and ensure that they are aware of their obligations. If you have questions, please contact us at Eanet, PC.