ARTICLE
25 September 2025

The Golden State's Latest Guardrails For Consumer Privacy

BB
Bass, Berry & Sims

Contributor

Bass, Berry & Sims logo
Bass, Berry & Sims is a national law firm with nearly 350 attorneys dedicated to delivering exceptional service to numerous publicly traded companies and Fortune 500 businesses in significant litigation and investigations, complex business transactions, and international regulatory matters. For more than 100 years, our people have served as true partners to clients, working seamlessly across substantive practice disciplines, industries and geographies to deliver highly-effective legal advice and innovative, business-focused solutions. For more information, visit www.bassberry.com.
Explore Firm Details
On July 24, the California Privacy Protection Agency (CPPA) approved a sweeping package of draft regulations (the Regulations) that, once finalized...
United States Privacy
Wesley McCulloch and Roy Wyman

Navigating the CPPA's New Regulations on Automated Decision-Making, Risk Assessments, and Cybersecurity Audits

image1

On July 24, the California Privacy Protection Agency (CPPA) approved a sweeping package of draft regulations (the Regulations) that, once finalized, will materially expand compliance obligations for businesses subject to the California Consumer Privacy Act (CCPA). The Regulations span three primary areas–automated decision-making technology, privacy risk assessments, and cybersecurity audits, and also include an array of updates relating to previously promulgated regulations. While the Regulations await final approval, organizations should begin assessing how their existing data-handling practices, vendor contracts, governance frameworks, and public-facing disclosures will need to evolve.

Below, we introduce the three major pillars of the Regulations and other miscellany and provide guidance on steps to take to ensure, that compliance programs address these changes.

Automated Decision-Making Technology

The New Regulations

The first of three core areas covered by the Regulations addresses the use of automated decision-making technology (ADMT). The Regulations define ADMT as "any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking," or, in other words, technology that makes decisions without human involvement. While other consumer privacy laws regulate "profiling," meaning automated processing of personal information (PI) to evaluate certain personal aspects about a person to analyze or predict aspects about that person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, the definition of ADMT is broader, and includes more data uses than other privacy laws. Certain technologies are excluded from ADMT so long as those technologies do not replace human decision-making, including web hosting, networking, firewalls, antivirus software, calculators or spreadsheets. "Human involvement" requires a human reviewer who knows how to interpret and use the technology's output, along with other relevant information relevant to a decision, and that has the authority to make or change the decision based on that information.

The Regulations impose rules on businesses that use ADMT to make "significant decisions." A significant decision is any determination that results in the provision or denial of financial or lending services, housing, educational enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.

Requirements

Access Rights

Businesses must provide each consumer with the right to access information about how the business has used ADMT to make decisions about the consumer. In response to a consumer's request to access ADMT, the business must disclose:

  • The specific reason that the business uses ADMT.
  • Information about the ADMT's decision-making logic.
  • The outcome of the decision for that consumer, including whether the algorithm was the sole factor or whether humans intervened.
  • If applicable, any intended future use of the output.

Opt-Out Rights

Businesses must also give consumers the ability to opt out of the use of ADMT to make decisions about them. Notably, opt-out requests are expressly deemed "non-verifiable," meaning a business may not demand additional identifying data as a condition of processing the request. The right to opt out of ADMT is subject to carve-outs. A business is not required to honor an opt-out request when any of the following is true:

  • The business provides a mechanism for the consumer to appeal any decision to a human reviewer with authority to overturn the decision.
  • The ADMT is used solely for certain admissions, acceptance, or hiring decisions, provided the ADMT assesses the ability to perform and does not unlawfully discriminate.
  • The ADMT is used solely to allocate or assign work or compensation, and it does not unlawfully discriminate.

Pre-Use Notice

Prior to deploying ADMT for significant decisions, a business must deliver a conspicuous "Pre-Use Notice" at or before the point when the consumer's PI is processed. The notice must:

  • Be presented in the manner in which the business primarily interacts with the consumer.
  • Inform consumers of their rights to access and opt out of the ADMT (or, how to appeal a decision to a human reviewer); the alternative method the businesses will use, such as a purely human review workflow, to make a decision if the consumer opts out; and affirm that the consumer will not be retaliated against for exercising these rights.
  • Explain in consumer-friendly language how the ADMT operates, including the categories of PI that affect the output of the ADMT, the type of output generated, and how that output is used by the business to make final decisions.

If a business is not required to provide the consumer with the right to opt out of ADMT, the Pre-Use Notice must specifically identify the exception to that right on which the business is relying. The Pre-Use Notice may be combined with the business's notice at collection.

Privacy Policy Updates

In parallel, a business's online privacy policy must be updated to reflect the consumer's right to opt out of ADMT uses and the separate right to request access to information about how ADMT influenced a particular outcome. As with the Pre-Use Notice, a business must specifically identify any exception to the opt-out right on which the business is relying.

What Should Businesses Do Now and What's the Deadline?

To address the above requirements, businesses, and particularly compliance functions, should begin taking the following steps (as outlined in greater detail below and in our CCPA Compliance Framework):

  • Review (or develop) the business's data map and list of use cases to determine whether any fit within the definition of ADMT. As part of this review, the business will want to revisit any current privacy risk assessments and begin the assessment process for ADMTs as described under the Risk Assessments section below.
  • Draft and operationalize Pre-Use Notices.
  • Update the business's web form for collecting consumer requests to add new opt-out access and opt-out rights.
  • Update the consumer request process, including:
    • Addressing opt-out and access request responses.
    • Making sure there are no requirements for consumers to verify identity where not permitted (e.g., opt out of ADMIT, cookies and sales and sharing of PI).
  • Updating the business' Privacy Notice, for example, describing the new rights given, such as access and opt out, as well as describing whether consumers can appeal ADMT decisions to a human reviewer.
  • For businesses that make ADMT available to other businesses, compiling information that may be necessary to allow those other businesses to conduct risk assessments.

Compliance Timeline

Compliance with the ADMT provisions will begin on January 1, 2027.

Risk Assessments

The New Regulations

While privacy risk assessments (often called data protection impact assessments (DPIA) or data protection assessments (DPA)) have been a common feature under the European Union's General Data Protection Regulation and other state consumer privacy laws, the Regulations bring them into force in California for the first time.

Risk Assessment Triggers

The regulations require that businesses conduct privacy risk assessments when they:

  • Sell PI or disclose PI for targeted advertising.
  • Process sensitive PI (subject to limited employment-related exceptions).
  • Use ADMT to make significant decisions.
  • Use automated processing to derive information about consumers from systematically observing them in educational or employment contexts.
  • Use automated processing to infer information about consumers based on their presence in sensitive locations such as healthcare or religious settings.
  • Process PI to train ADMT models that will be used for significant decisions.

Requirements

Risk Assessment Requirements

The assessment document must identify how PI will be collected and processed as part of the use case, including sources of PI, retention periods or criteria, interaction channels with consumers, the approximate number of affected individuals, categories of recipients, and any disclosures provided to consumers. If ADMT is implicated, the business must describe the logic of the ADMT and its expected outputs. The assessment must identify the benefits of the processing against potential negative impacts on consumers, and if risks are identified, the safeguards the business will implement. Unlike many other consumer privacy laws, the Regulations do not include a safe harbor that would allow businesses to rely on risk assessments that are reasonably similar in scope and conducted in compliance with other state laws. Instead, risk assessments must independently meet all the requirements set forth by the Regulations.

Service providers and contractors are obliged by rules to cooperate and furnish whatever information the business or its auditors need to fulfill the risk assessment mandate. Contractor and third-party agreements must reflect that duty. Further, employees involved in determining the means or purposes of processing PI (e.g., engineering, data science, product, or marketing personnel) must participate in the assessment. The risk assessment must also document all individuals (except legal counsel) who contributed to the assessment.

Submission of Risk Assessment Summaries

Annually, businesses will be required to submit a high-level attestation describing their privacy risk assessments. The submission must include the company's name, contact information, the period covered, the number of assessments completed by type of processing activity, the PI categories implicated, and a certification—signed by an executive with direct responsibility and personal knowledge—that the assessments were actually performed.

What Should Businesses Do Now and What's the Deadline?

To address the above assessment requirements, businesses should begin taking the following steps (as outlined in greater detail below and in our CCPA Compliance Framework):

  • Review the company's data map or otherwise collect a list of use cases to determine which uses require a risk assessment.
  • Determine a process to identify and report new use cases that may require a risk assessment and then operationalize the completion of such an assessment before the use case goes into effect.
  • Conduct a gap analysis of current DPIA against the requirements of the Regulation and update risk assessments if necessary.
  • Draft a Data Protection Impact Assessment Policy (or revise any current policy) to document the process for identifying use cases, completing and memorializing the risk assessment itself, as well as the process for submitting the summaries (with attestation) to the CPPA.
  • Identify a process for submission and attestation of summaries to the CPPA, including identifying an official inside the business who is responsible for such attestations.
  • Review the business's template DPA and. revise as needed to require assistance by third parties with relevant risk assessments.

Compliance Timeline

Businesses must conduct risk assessments for their current processing activities by December 31, 2027, and submit information regarding those assessments to the CPPA by April 1, 2028. Summaries must be submitted annually thereafter.

Cybersecurity Audits

The New Regulations

The Regulations will also impose recurring cybersecurity audit requirements on businesses that handle large volumes or sensitive classes of PI, or that earn most of their revenue from PI sales or sharing. Specifically, a cybersecurity audit becomes mandatory if a business does any of the following:

  • Derives at least 50% of its annual revenue from selling PI or sharing it for targeted advertising purposes.
  • Processes PI of at least 250,000 consumers in a calendar year.
  • Processes sensitive PI of at least 50,000 consumers in a calendar year. Sensitive PI includes information such as social security and driver's license numbers; financial account access credentials; precise geolocation; information about a consumer's race or ethnic origin; citizenship status; religious beliefs; union membership; biometric identifiers; information about a consumer's health, sex life, or sexual orientation; and information about consumers known to be under 16.

Requirements

Audits must be performed by independent assessors. Internal auditors are permissible only if they report directly to an executive who is not responsible for day-to-day cybersecurity operations. The regulations enumerate a non-exhaustive list of security program components that the audit must evaluate, including authentication mechanisms, encryption protocols, identity and access management, asset and configuration management, endpoint protection, and workforce security education.

The audit report must both identify the policies, procedures, and practices evaluated and the specific evidence reviewed. It must opine on the effectiveness of each cybersecurity domain, detail any gaps or weaknesses, and document a remediation plan. If the organization was required to notify any California regulator of a data breach during the audit period, the report must disclose that fact and append a representative copy of the breach notice.

Businesses may leverage an existing audit performed for another regulatory or business purpose, provided it meets all the Regulations' substantive requirements or uses a supplemental audit to bridge any gaps. Upon completion, the business must submit a written certification to the CPPA, signed by an executive with direct cybersecurity responsibility and sufficient knowledge of the audit, attesting that the audit has been finalized in accordance with the Regulations. As with risk assessments, service providers and contractors must assist by providing information necessary for the audit and must accept contractual obligations to that effect.

What Should Businesses Do Now and What's the Deadline?

To address the above audit requirements, businesses should begin taking the following steps (as described more fully below):

  • If the business is already utilizing a third-party security auditor (e.g., for SOC 2 or NIST certification), contact that auditor for a timeline on when it will be updating its audit guidelines and determine whether there will be additional costs.
  • If the business is only conducting internal security reviews currently, determine whether it wishes to bring in an outside auditor. Otherwise, the business must confirm that its internal auditors meet the requirements of the Regulations in the business's reporting structure and make sure that audit guidelines are updated.
  • Review and revise the company's incident response procedures to confirm that breach information is provided to relevant personnel so that it can be documented in the audit as required.
  • Develop and document in a policy the process for submitting a report and attestation to the CPPA, including identifying an individual to attest to the audit and confirming that the person meets the criteria (this may or may not be the same person providing an attestation for risk assessments).
  • Review the business's template DPA and revise as needed to require assistance by third parties with relevant audits.

Compliance Timeline

The timeline for completing the initial audit is tiered according to revenue.

  • Businesses whose 2026 gross revenue exceeds $100 million must complete an audit covering January 1, 2027, through January 1, 2028, with the report due by April 1, 2028.
  • Businesses whose 2027 gross revenue exceeds $50 million must complete an audit covering January 1, 2028, through January 1, 2029, with the report due by April 1, 2029.
  • The remaining businesses must provide an audit report covering January 1, 2029, through January 1, 2023, by April 1, 2030.

After April 1, 2030, any business that meets the threshold as of January 1 of a year must file an audit report covering the preceding year by the following April 1. In other words, a business that, as of January 1, 2031, processed PI about one million California consumers during 2030, must submit an audit report covering January 1, 2030, to January 1, 2031, by April 1, 2031.

Other Important Changes

Beyond the above headline items, the Regulations introduce a series of refinements that, collectively, will require meaningful review of a business's privacy notices, user interfaces, retention schedules, and training programs. Some of those changes include:

Data Minimization

Service providers and contractors remain permitted to retain and use PI obtained from a business for certain limited internal purposes, but the Regulations now impose specific data minimization requirements for those uses.

Dark Patterns and Affirmative Consent

The Regulations have transformed what were previously "illustrative" dark-pattern examples, such as banners that only provide "Accept" and "More Information" options, into binding rules. The Regulations also now make clear that ignoring or closing a pop-up without clicking "Accept" or simply navigating away does not constitute valid consent.

Processing Requests to Opt Out of Sales/Sharing

Businesses must provide a way for consumers to confirm their opt-out requests have been honored, such as an on-screen or in-app acknowledgment, and to indicate whether any global opt-out preference signal has been processed. Further, the Regulations now state explicitly that immediate compliance with opt-out requests is required in some circumstances to honor opt-out requests "as soon as possible."

Additional Requirements for Consumer Requests

If a business retains PI about consumers for more than 12 months, it must offer consumers a way to request access to their PI from earlier periods, such as allowing the requester to specify a date range. When a consumer's PI is corrected at the consumer's request, the business must take reasonable steps to ensure the corrected information is accurate across source systems, backups, and other data feeds.

Training Requirements

Businesses that require consumers to submit privacy requests by phone are required to ensure that employees responsible for receiving and responding to those requests receive adequate training.

How Businesses Can Prepare

The Regulations will next be submitted to the California Office of Administrative Law, which will have 30 working days to evaluate whether the Regulations comply with the California Administrative Procedure Act and file the regulations with the California Secretary of State. Businesses, however, should begin preparing for the Regulations now, as compliance can be labor-intensive and require significant time.

Inventory ADMT or Other High-Risk Use Cases

Businesses should create a data map of the inflow, processing, storage and disclosure of all PI. That map should particularly include a review and inventory of current and planned uses of ADMT and other PI activities that may be considered high risk. The Regulations have new notice, access, operations and risk assessment requirements for these uses. An early gap analysis is key.

Update Notices, Privacy Policies, and Consumer Request Mechanisms

Businesses that use ADMT for regulated use cases will need to draft Pre-Use Notices, update their Privacy Policies, and update their consumer privacy request mechanisms and processes to describe how the business uses ADMT and how consumers can request access to and opt out of that ADMT.

Consider Risk Assessment Requirements

While risk assessments have been required by most privacy laws, the Regulations have specific requirements on the information contained in those assessments that may not align with a business's current practice. Businesses should also consider the implications of the requirement that risk assessment summaries be submitted to the CPPA. For example, the efficacy of opt-out and other consumer rights mechanisms is a known area of enforcement focus for the CPPA. The risk assessment submission requirement may give the CPPA a roadmap to identify where opt-out mechanisms are needed and to test those mechanisms.

Review Cybersecurity Audit Practices

A common request during the notice-and-comment period was that the CPPA specifically deem commonly used audits, such as SOC 2 Type 2 audit reports, sufficient under the Regulations' cybersecurity audit requirements, which the CPPA declined to do. Businesses should ensure that the scope of their audits covers every area required by the Regulations. In particular, businesses that have historically relied on ad-hoc internal reviews or narrowly scoped technical assessments will need to plan for more expansive, evidence-based audits. The attestation requirement introduces a new personal liability component for cybersecurity executives in non-public companies, making it even more important that the business plans early to meet the Regulations' report timelines.

Update Incident Response Procedures

The Regulations will require the cybersecurity audit report to identify whether the business was required to notify any agency with jurisdiction over privacy laws in California of any data breach and include a sample copy of those notifications. Incident response policies and processes should be revised to account for documenting this information for inclusion in the audit report.

Review Technical Implementations of Opt-Out and Consent Mechanisms

Some changes in the Regulations underscore the CPPA's focus on ensuring consumers can exercise their rights effectively. Businesses need to review both the user experience and the technical operation of their websites and other PI collection points for compliance. In particular, businesses should look out for unequal choices for opting- n vs. opting out of data collection, the point in time cookies and other cross-website tracking scripts load for a user, and whether the choices made by the user function at a technical level as intended.

Review Current Vendor Agreements

Agreements with vendors that process PI or provide ADMT should be reviewed and, if necessary, amended to require the vendors to provide information and services necessary for the business to complete cybersecurity audits and risk assessments, make appropriate disclosures in Pre-Use Notices and privacy policies, and/or assist with compliance obligations relating to the ADMT provided by the vendor.

Review and Update Internal Policies and Procedures

To implement the above requirements, businesses will need to create or update various internal policies and procedures. For example, policies and procedures that may need updating include:

  • Data maps to track ADMT uses.
  • New Pre-Use Notices for ADMT uses and updated Privacy Notices to describe ADMT uses and new consumer rights relating to ADMT.
  • Revised consumer rights request processes for ADMT.
  • Risk assessment procedures and templates to capture new uses of ADMT and document all information required by the Regulations.
  • Vendor management policies and procedures to ensure that vendors are providing information necessary for cybersecurity audits and risk assessments and are complying with opt-out requests for ADMT.
  • Audit policies to account for new cybersecurity audit requirements and submission of attestations to the CPPA.
  • Record retention schedules for risk assessment and cybersecurity audit documentation.
  • Training for personnel fielding consumer requests by phone.

For a full list of policies and procedures impacted by the Regulations, see our CCPA Compliance Framework.

If you have questions about how the Regulations may affect your business, or need assistance conducting privacy risk assessments, preparing for a cybersecurity audit, or updating consumer notices and contracts, the members of the Privacy & Data Security team are available to help.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Wesley McCulloch
Wesley McCulloch
Photo of Roy Wyman
Roy Wyman
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More