On September 23, 2025, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law approved final regulations under the California Consumer Privacy Act (CCPA). The regulations (previously discussed here) cover cybersecurity audits, risk assessments, automated decision making technology (ADMT), insurance companies, and updates to existing CCPA obligations.
The regulations require annual cybersecurity audits for certain businesses, privacy risk assessments tied to high-risk data processing, and consumer rights when ADMT is used to make significant decisions. They also extend CCPA coverage to insurance companies and revise existing rules on consumer requests, service provider duties, and recordkeeping. With OAL's approval, the package is now finalized and will take effect January 1, 2026, with audits phasing in beginning in 2028, risk assessment submissions starting in 2028, and ADMT rules effective in 2027.
Putting It Into Practice: With final approval secured, businesses should use 2026 and 2027 as a build period to prepare for the new obligations. Compliance will require coordinated efforts across legal, compliance, technology, and operations teams to map ADMT uses, establish audit programs, and create risk-assessment processes that meet CPPA standards. For financial institutions, this means looking beyond technology inventories and engaging underwriting, HR, and fraud teams to identify where automated tools are making or influencing significant decisions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.