ARTICLE
1 August 2025

California Finalizes CCPA Regulation Amendments: New Compliance Obligations For Cybersecurity, Risk Assessments, And Automated Decision-Making

NM
Nelson Mullins Riley & Scarborough LLP

Contributor

Flexibility, practical business sense, and tireless advocacy are among Nelson Mullins’ service hallmarks. Our growth over the past 120 years continues to be client-focused.

Our culture and multidisciplinary platform provide our community of clients trusted advice to meet a broad range of business needs and our team members an opportunity to be part of a Firm that values relationships, collaboration, thinking ahead, leadership within our profession, and helping those in need through pro bono and community service.

On July 24, 2025, the California Privacy Protection Agency (CPPA) Board approved a final package of amendments to the regulations implementing the California Consumer Privacy Act (CCPA).
United States California Technology

On July 24, 2025, the California Privacy Protection Agency (CPPA) Board approved a final package of amendments to the regulations implementing the California Consumer Privacy Act (CCPA). These sweeping changes impose substantial new compliance obligations on businesses operating in California, particularly in the areas of cybersecurity audits, data protection risk assessments, and automated decision-making technology (ADMT).

The amended regulations—designed to reinforce consumer protections, improve accountability, and guide the responsible use of emerging technologies—introduce complex, multi-phase requirements that begin taking effect in 2027. The final rules now proceed to the California Office of Administrative Law (OAL) for procedural approval.

Key Regulatory Updates

1. Mandatory Annual Cybersecurity Audits

Notably, the regulations require annual, independent cybersecurity audits for businesses that meet specific risk-based thresholds. These include:

  • Deriving 50% or more of annual revenue from selling or sharing personal information; or
  • Annual gross revenue over $25 million (adjusted for inflation) and processing either:
    • Personal information of at least 250,000 consumers, or
    • Sensitive personal information of at least 50,000 consumers.

Audit Requirements – under the final rules, audits:

  • Must be conducted by qualified, objective professionals (internal or external).
  • Must include:
    • An overview of audited systems and data environments;
    • An evaluation of cybersecurity programs aligned with industry standards for "reasonable security";
    • A gap analysis and remediation actions; and
    • A breach and incident review for the audit period.
  • Must be performed by the highest-ranking auditor who reports directly to a member of the business's executive management team who does not have direct responsibility for the business's cybersecurity program.
  • With respect to the cybersecurity audit report must be provided to a member of the business's' executive management team who has direct responsibility for the business's cybersecurity program.

Compliance Deadlines:

  • April 1, 2028 – Businesses with annual revenue over $100 million
  • April 1, 2029 – Revenue between $50 million–$100 million
  • April 1, 2030 – Revenue under $50 million

Key Takeaway: Businesses must begin establishing audit processes now, including identifying qualified audit personnel, establishing internal reporting lines, and documenting cybersecurity practices comprehensively.

2. Data Protection Risk Assessments for High-Risk Processing

Businesses that engage in data processing activities deemed to present a significant risk to consumers' privacy will be required to conduct and submit formal risk assessments. Activities triggering this requirement include:

  • Selling or sharing personal information;
  • Processing sensitive personal information;
  • Using ADMT for significant decisions;
  • Profiling individuals using automated inferences in employment, education, or sensitive location contexts; and
  • Using consumer data to train ADMT or systems involving facial/emotion recognition or identity verification.

Risk Assessment Requirements – each assessment must include:

  • A detailed description of the processing purpose(s);
  • Risk/benefit analysis for consumers;
  • Mitigation measures taken;
  • Consideration of less intrusive alternatives.

Service providers and vendors should also be prepared to support covered businesses in completing these assessments, potentially through data mapping assistance and impact evaluation.

3. New Governance Obligations for Automated Decision-Making Technology (ADMT)

The final rules significantly expand obligations around the use of ADMT, targeting tools that replace or substantially influence human decision-making in legally or financially significant scenarios. While earlier drafts referred more broadly to "AI," the final rules removed the term to narrowly focus on ADMT (e.g., AI) used in significant decision-making contexts.

Notable Obligations:

  • Pre-Use Notices: Before collecting or repurposing data for ADMT, businesses must notify consumers with clear descriptions of intended use.
  • Right to Know & Appeal: Consumers must be informed when ADMT is used and given the right to access "meaningful information" about how the system works—including logic, inputs, and outcomes—and appeal decisions.
  • Opt-Out Mechanism: A new, separate opt-out link titled "Opt Out of Automated Decisionmaking Technology" is required on websites.
  • Opt-In Consent: Required when ADMT is used to process sensitive information or information related to minors.
  • Human Review Exception: Exempts ADMT systems where meaningful human oversight or override exists.

Compliance Deadline: January 1, 2027

4. Enhanced Transparency and Documentation Requirements

The amendments significantly enhance transparency expectations related to privacy notices, consumer rights, and internal documentation. These requirements include the following:

  • Prohibition on Vague Disclosures: General statements such as "to improve services" are no longer sufficient. Businesses must specify the exact categories of data collected and the specific purposes for each.
  • Content Requirements for Responses to ADMT Access Requests: Responses must include:
    • Clear explanations of the logic behind the ADMT;
    • Description of the system's input/output; and
    • Information about data sources and assumptions used in modeling.

These requirements aim to ensure consumers receive comprehensible, actionable information about how their data is used and decisions are made.

Recommended Next Steps for Businesses

To prepare for compliance with these newly finalized rules, businesses should begin:

  • Reviewing and updating privacy notices to meet new specificity and transparency requirements;
  • Conducting internal audits to assess whether cybersecurity audit and risk assessment requirements apply;
  • Inventorying and evaluating current and planned ADMT systems, including those used in hiring, benefits eligibility, financial services, or profiling;
  • Building governance frameworks for ADMT usage, including consumer-facing tools for opt-out and appeal; and
  • Engaging service providers and vendors in preparing for collaborative compliance with risk assessment and audit obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More