ARTICLE
31 July 2025

California Regulator Finalizes CCPA Rules For Automated Decision Making, Cybersecurity Audits And Risk Assessments

KM
Katten Muchin Rosenman LLP

Contributor

Katten is a firm of first choice for clients seeking sophisticated, high-value legal services globally. Our nationally and internationally recognized practices include corporate, financial markets and funds, insolvency and restructuring, intellectual property, litigation, real estate, structured finance and securitization, transactional tax planning, private credit and private wealth.
On July 24, 2025, during its scheduled Board Meeting, the California Privacy Protection Agency (CPPA) Board voted unanimously to finalize rules governing the use of automated...
United States California Privacy

On July 24, 2025, during its scheduled Board Meeting, the California Privacy Protection Agency (CPPA) Board voted unanimously to finalize rules governing the use of automated decision-making technology, risk assessments, cybersecurity audits and insurance under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA).

A final package of the regulation will be prepared and presented to California's Office of Administrative Law (OAL), which will have 30 business days to determine if the rules will become final. In the event that the rules are finalized, the following compliance deadlines will apply:

  • January 1, 2027: Businesses will need to comply with automated decision-making technology requirements under the regulation.
  • April 1, 2028: Businesses with over $100 million in gross revenue will need to comply with cybersecurity audits under the regulation.
  • April 21: 2028: Businesses must comply with risk assessments under the regulations, with the filing of the first annual assessment attestation to be due by this date.
  • April 1, 2029: Businesses with between $50 million and $100 million in gross revenue must comply with cybersecurity audits under the regulation.
  • April 1, 2030: Businesses with under $50 million in gross revenue must comply with cybersecurity audits under the regulation.

We will keep you apprised of all legislative developments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More