ARTICLE
7 October 2025

California Privacy Regulations On ADMT, Cybersecurity Audits, And Risk Assessments Receive Final Approval

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
On September 23, 2025, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law approved final regulations under the California Consumer Privacy Act (CCPA).
United States California Privacy

On September 23, 2025, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law approved final regulations under the California Consumer Privacy Act (CCPA). The regulations (previously discussed here) cover cybersecurity audits, risk assessments, automated decision making technology (ADMT), insurance companies, and updates to existing CCPA obligations.

The regulations require annual cybersecurity audits for certain businesses, privacy risk assessments tied to high-risk data processing, and consumer rights when ADMT is used to make significant decisions. They also extend CCPA coverage to insurance companies and revise existing rules on consumer requests, service provider duties, and recordkeeping. With OAL's approval, the package is now finalized and will take effect January 1, 2026, with audits phasing in beginning in 2028, risk assessment submissions starting in 2028, and ADMT rules effective in 2027.

Putting It Into Practice: With final approval secured, businesses should use 2026 and 2027 as a build period to prepare for the new obligations. Compliance will require coordinated efforts across legal, compliance, technology, and operations teams to map ADMT uses, establish audit programs, and create risk-assessment processes that meet CPPA standards. For financial institutions, this means looking beyond technology inventories and engaging underwriting, HR, and fraud teams to identify where automated tools are making or influencing significant decisions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More