On July 24, 2025, during its scheduled Board Meeting, the California Privacy Protection Agency (CPPA) Board voted unanimously to finalize rules governing the use of automated decision-making technology, risk assessments, cybersecurity audits and insurance under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA).
A final package of the regulation will be prepared and presented to California's Office of Administrative Law (OAL), which will have 30 business days to determine if the rules will become final. In the event that the rules are finalized, the following compliance deadlines will apply:
- January 1, 2027: Businesses will need to comply with automated decision-making technology requirements under the regulation.
- April 1, 2028: Businesses with over $100 million in gross revenue will need to comply with cybersecurity audits under the regulation.
- April 21: 2028: Businesses must comply with risk assessments under the regulations, with the filing of the first annual assessment attestation to be due by this date.
- April 1, 2029: Businesses with between $50 million and $100 million in gross revenue must comply with cybersecurity audits under the regulation.
- April 1, 2030: Businesses with under $50 million in gross revenue must comply with cybersecurity audits under the regulation.
We will keep you apprised of all legislative developments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
