The third primary rule establishes that any CCPA-bound business whose data processing could pose "significant risk to consumers' security" must complete an independent cybersecurity audit annually

Baker Botts is a leading global law firm. The foundation for our differentiated client support rests on our deep business acumen and technical experience built over decades of focused leadership in our sectors and practices. For more information, please visit bakerbotts.com.

On 24 July 2025, the California Privacy Protection Agency (CPPA) unanimously approved a long-awaited and -debated rulemaking package that addresses: (i) the use of automated decision-making technology, (ii) mandatory risk assessments for high-risk data processing, and (iii) annual cybersecurity audits. The regulations were passed under the California Consumer Privacy Act (CCPA) and now await procedural approval by the California Office of Administrative Law (OAL) within 30 days. Although enforcement will be phased in between 2027 and 2030, covered businesses should begin preparing now to inventory ADMT use cases, identify a cybersecurity audit partner, and develop risk assessment processes.

Overview of the New Rules

A. Automated Decision-Making Technology Rule

The CPPA's first rule governs the use of automated decision-making technology (ADMT) by businesses subject to the CCPA. In particular, where ADMT is used or relied upon in making "significant decisions" about a consumer—such as those affecting access to employment, housing, credit, health care, education, insurance, or essential goods—the business takes on certain obligations.

The definition of ADMT underwent extensive revision throughout the rulemaking process and is ultimately defined as any technology that "replaces or substantially replaces human decision-making" when processing personal information. References to "artificial intelligence" and "behavioral advertising" were removed, but the definition remains broad enough to capture machine learning models, rule-based scoring systems, facial recognition, and even advanced spreadsheets when they materially influence decisions. Certain forms of "extensive profiling" also remain in scope, such as workplace or educational profiling and public-space surveillance.

In the event a business uses ADMT for significant decisions, the business must: (i) provide a detailed pre-use notice of ADMT (which can be included in the standard privacy notice); (ii) offer an opt-out mechanism for ADMT unless a limited exception applies (e.g., providing a method to appeal the automated decision to a human reviewer with authority to overturn); and (iii) furnish additional individualized information about its ADMT use upon request (e.g., about the ADMT logic, ADMT output, how outputs are used in the decision making process).

B. Risk Assessment Rule

The CPPA's second rule requires businesses to conduct written risk assessments before undertaking certain high-risk data processing activities, including: (i) selling or sharing personal information; (ii) processing sensitive personal information; (iii) using ADMT for significant decisions; (iv) training ADMT to identify, infer traits, or analyze emotion or facial recognition; and (v) automatically processing to infer traits related to an individual's employment, educational, or sensitive location. The risk assessment must identify the purposes, benefits, reasonably foreseeable risks, and proposed safeguards related to the processing, as well as to operational elements like collection process, retention periods, number of consumers impacted, and disclosures made to consumers. Businesses must submit all risk assessments to the CPPA by April 2028 (for assessments conducted in 2026 and 2027) or April of the following year (for assessments conducted in 2028 onward).

C. Cybersecurity Audit Rule

The third primary rule establishes that any CCPA-bound business whose data processing could pose "significant risk to consumers' security" must complete an independent cybersecurity audit annually. Audits must be based on evidence rather than mere management attestations and conducted by a qualified, objective, and independent professional (who may be external or internal, but if internal, they must not be responsible for the cybersecurity program). The audit must test controls across enumerated areas such as multi-factor authentication, encryption, access management, vulnerability testing, incident response, and vendor oversight. Companies may leverage audits prepared for another purpose under existing frameworks (e.g., NIST CSF 2.0, SOC 2 Type II, ISO 27001) so long as scope and independence requirements are met.

Following completion of each annual cybersecurity audit, a senior executive (or designated board member for public companies) must certify completion and such certification must be filed with the CPPA by staggered deadlines based on the business' annual revenue. Audit supporting documents must be maintained for at least five years.

Key Compliance Deadlines