At its July 24, 2025 meeting, the Board of the California Privacy Protection Agency voted unanimously to finalize regulations on automated decisionmaking technology, risk assessments, cybersecurity audits, and other areas. The culmination of a years-long effort that began early in 2023, the rulemaking package will soon be submitted to the California Office of Administrative Law, which has thirty working days to review and approve the package. Pending legal challenges or delay from OAL's review, the regulations will take effect January 1, 2026
These rules represent a significant shift in the privacy, security and artificial intelligence regulation landscape. While the final rules are less expansive than earlier drafts, businesses will need to operationalize several new obligations under the regulations, including (but certainly not limited to):
- Honoring new consumer requests to access and opt-out of the use automated decisionmaking technology.
- Undergoing annual, independent cybersecurity audits and submitting a certificate of completion to the CPPA.
- Conducting risk assessments in a broad range of required scenarios, including when selling or sharing personal information.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
