On May 1, 2025, the California Privacy Protection Agency (CPPA) published revised California Consumer Privacy Act (CCPA) regulations focused on privacy impact assessments (i.e., "risk assessments"), cyber audits, and automated decision-making (May 2025 Proposed Regulations).
The May 2025 proposed regulations would impose significant incremental compliance obligations on organizations with exposure to the CCPA. These proposed regulations have undergone multiple revisions. However, based on our conversations with legal partners at the International Association of Privacy Professionals (IAPP) conference in April, we anticipate that the May 2025 version of the proposed regulations, or a closely related version, will be enacted.
These May 2025 proposed regulations have faced criticism from organizations — like the Electronic Privacy Information Center (EPIC) — claiming that the regulations have been considerably diluted from previous drafts due to pressure from the tech industry, certain state lawmakers, and Gov. Gavin Newsom. From our perspective, although EPIC's criticism is valid, these newly proposed regulations still bring about significant changes to the compliance requirements of the CCPA.
This article series will focus on those incremental compliance obligations from the May 2025 proposed regulations that demand the longest lead time for implementation and adherence. Over the coming weeks, we will provide additional articles focused on implementation strategies for the focus areas cited below. Before we dive in, it is worth noting that the May 2025 proposed regulations are 120 pages in length and are incredibly prescriptive. Achieving compliance with these new CCPA requirements demands expert-level analysis and a thorough understanding of these regulations.
Notable Incremental Compliance Obligations
The May 2025 proposed regulations contain obligations that will require significant compliance investments with a long lead time. The most notable activities include:
Conducting Risk Assessments: Organizations must conduct a risk assessment for processing activities that include:
- Selling or sharing personal information
- Processing sensitive personal information
- Using automated decision-making technology for significant decisions
- Profiling
- Using personal information to train automated decision-making technology
Reporting Risk Assessment Metrics to the CCPA: Starting in April 2028, businesses must submit information regarding risk assessments conducted in 2026 and 2027 to the CCPA via its website. This includes the number of risk assessments conducted or updated by the business, the categories of personal information included in the risk assessments, and a written certification.
Conducting Cybersecurity Audits: Starting in April 2028, organizations that have over $100 million in revenue will need to complete a cybersecurity audit, which contains cyber requirements aligning to the National Institute of Standards and Technology Cybersecurity Framework, along with the evaluation of a data map and records retention schedules. The audit will then also need to be certified by the highest-ranking executive with authority at the organization through the CPPA's website.
Begin Planning Today
We view these May 2025 proposed regulations as the next significant transformation for privacy programs and encourage our clients and organizations to initiate the planning process now so that they allocate appropriate funds for 2026. The 2026 budget cycle likely starts for most organizations in Q3 of 2025 (i.e., a few months after writing this article).
In particular, organizations will need to report to the CPPA on the number of risk assessments completed in 2026, meaning they cannot delay conducting these assessments until 2028. Additionally, we anticipate that before conducting cybersecurity audits, many organizations will need to develop data maps and record retention programs. Some may also conduct pre-assessment audits as a trial run. In our view, these activities could require a 24-month lead time, making it essential for budgeting and planning to begin in Q3 2025, with readiness work starting no later than April 2026.
In our next article of this series, we will focus on the requirements in Article 9 of the May 2025 Proposed Regulations titled "Cybersecurity Audits."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
