California Finalizes New CCPA Rules On ADMT, Cybersecurity Audits, And Risk Assessments

On July 24, the California Privacy Protection Agency (CPPA) approved a major rule package covering automated decision-making technology (ADMT), mandatory cybersecurity audits, and privacy risk assessments under the California Consumer Privacy Act (CCPA). The package narrows the definition of ADMT to tools that replace human decision making for significant decisions in areas like lending, housing, employment, education, and health care.

For financial institutions, the rules impose new requirements on ADMT used in lending and employment, as well as mandatory cybersecurity audits and risk assessments tied to data processing activities. The package also includes targeted updates to existing CCPA regulations.

Apart from the above described changes, key updates to the Act include:

• Consumer rights for ADMT.When ADMT is used for significant decisions, businesses must provide a pre-use notice, allow access explanations, and generally offer an opt-out—subject to limited exceptions, including a human appeal option. Compliance obligations become effective January 1, 2027.
• Annual cybersecurity audits. Audits are required when processing creates "significant risk," such as when 50% of revenue is derived from selling or sharing personal information or meeting statutory revenue and data thresholds. Certifications begin April 1, 2028 for businesses over $100M in revenue, with smaller firms phased in by 2030.
• Risk assessments for high-risk processing. An assessment requirement is triggered by selling or sharing data, handling sensitive information, or using ADMT for significant decisions. Existing activities must be assessed by December 31, 2027, with annual summaries starting April 1, 2028.
• Updates to CCPA rules. New provisions require parity between opt-out and opt-in steps, privacy-policy links on every collection page, and the ability for consumers to request data collected beyond the previous 12 months.

Putting it into Practice: Start building the 2026–2027 ADMT compliance runway now. The compliance deadlines may seem distant, but the lift is substantial: ADMT inventories, cybersecurity audit programs, and risk-assessment templates all require coordination across legal, compliance, technology, and business units. For financial institutions, mapping in-scope ADMT goes beyond a technical review and requires engagement with underwriting, HR, marketing, and fraud teams to identify where automated tools are making or influencing significant decisions. Establishing an audit program that meets independence standards means creating governance that boards and executives can stand behind when regulators or plaintiffs'

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.