The California Office of Administrative Law has provided its stamp of approval to the updated CCPA regulations approved by the California Privacy Protection Agency in July 2025, and the revised regulations will now be published in the California Code of Regulations (CCR). The revised regulations include new regulations on: Automated Decision-Making Technology (ADMT), which includes more than just the use of Artificial Intelligence, Risk Assessments, and Cybersecurity Audits, together with updates and clarifications to the existing regulations in areas such as privacy notices, service provider agreements, and other regulatory requirements. The revised regulations also include new regulations directed only towards insurance companies.
Changes to the existing regulations go into effect on January 1, 2026. However, certain new requirements with respect to ADMT, Risk Assessments, and Cybersecurity Audits have later effective dates:
- The effective dates for Cybersecurity Audits depend on a business's annual revenue, with compliance dates of April 1, 2028, for businesses with revenues over $100M, April 1, 2027, for businesses with revenues between $50M and $100M, and April 1, 2030, for businesses with revenues under $50M.
- Businesses that are required to perform a risk assessment under the revised regulations must begin compliance on January 1, 2026, but are not required to provide an attestation that the risk assessment has been completed and a summary of its findings until April 1, 2028.
- Businesses that use ADMT technology to make significant decisions are not required to comply with the new ADMT regulations until January 1, 2027.
Impact on Businesses
Businesses should be reminded that not all of the new regulations may apply to them. There are certain thresholds for each of the new ADMT, Cybersecurity Audit, and Risk Assessment regulations to be applicable. For example, the ADMT regulations only apply if the ADMT (which again, includes more than just the use of Artificial Intelligence and may apply to other, more traditional technology) is used for "significant decisions" as defined in the regulations. Businesses should review which, if any, of the new regulations apply to them (and may apply to them as of the applicable effective dates), and begin planning for compliance when appropriate.
While some of the effective dates may be over 4 years from now (for relatively small businesses subject to the cybersecurity audit requirements), some of the new regulations may take some planning and resources that would benefit from an early start. On the other hand, relatively large businesses (those with more than $100M in annual revenue) likely have significant information technology infrastructure, and the short (less than 3-year) window to complete the cybersecurity audits will go by quickly. Such businesses will need to allocate resources immediately to comply with the deadlines.
The California Privacy Protection Agency (CPPA) announced today that the California Office of Administrative Law has approved regulations covering cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT), insurance companies, and updates to existing CCPA regulations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
