ARTICLE
22 August 2025

New CCPA Regulations: Culture Change And The Rise Of The Ex Ante Framework

D
Dykema

Contributor

Dykema logo

You should expect more from your law firm than only excellent legal counsel. Delivering for our clients also means holding ourselves to the highest standards of service, performance, and innovation.

Every client has a different vision for success, so we adapt a custom approach for each of them. We help you identify your goals to craft pragmatic, unique, and efficient solutions that deliver value the way you define it.

For nearly 100 years, we’ve served clients around the world from our strategically situated offices in Michigan, Illinois, Texas, Washington, D.C., California, Minnesota, and Wisconsin. Through our practice management structure and our focused Industry Groups, we know and understand the sectors in which our clients compete, from Automotive to Energy, from Gaming to Financial Institutions.

So… how can we deliver success for you today?

Explore Firm Details
After a tortured process taking years, the California Privacy Protection Agency has finalized the long-awaited amendments to the CCPA Regulations. The final package of regulations, now spanning more than 100 pages...
United States California Technology
Matthew Hays

Takeaways

  • The CCPA Dives Into Internal Governance. The new amendments introduce three major regulatory pillars: new requirements for Automated Decision-Making Technology (ADMT), mandatory annual cybersecurity audits, and a requirement for businesses to conduct pre-processing data protection risk assessments.
  • ADMT. The CCPA has adopted pre-notice, risk assessment, consumer opt-out, and access obligations, as have been found in more recent privacy laws, with regard to automated decision-making and profiling.
  • Mandatory Executive Oversight. Members of a business's executive management team are now directly responsible for overseeing the new mandatory cybersecurity audits and risk assessments and are responsible for making the necessary related certifications to the California Privacy Protection Agency (CPPA).
  • Phased Compliance Deadlines. The new regulations will likely be effective within the next four months and have compliance deadlines extending from 2027 through 2030.

Summary

After a tortured process taking years, the California Privacy Protection Agency has finalized the long-awaited amendments to the CCPA Regulations. The final package of regulations, now spanning more than 100 pages, is pending final review by the California Office for Administrative Law (OAL). If the OAL files the regulations by August 31, 2025, they will take effect on October 1, 2025. If the filing occurs between September 1 and November 30, the regulations will take effect on January 1, 2026.

Although significantly watered-down from initial drafts, the regulations still mark the next era of U.S. privacy regulation: expanding its focus from consumer notice and data rights to controlling the internal governance of a business.

The core message for businesses is clear: proactive, cross-functional planning is no longer optional. We knew this already, of course, and other regulatory schemes have long embraced this approach, but what was inherent in the CCPA is now explicit. The new regulations necessarily invoke a cultural change: (i) privacy and cybersecurity can no longer be treated as separate disciplines but must work as a single, integrated compliance function; and (ii) high-ranking executives now have skin in the CCPA compliance game.

Automated Decision-Making Technology (ADMT)

Notably, the finalized regulations completely disposed of the phrase "artificial intelligence" after nobody could figure out what it actually meant. Instead, the CPPA's definition of ADMT is based entirely on function and impact. ADMT is defined as any technology that processes personal information "to replace human decisionmaking or substantially replace human decision-making." It certainly includes "artificial intelligence" but also covers a great deal of tools that companies probably don't consider to be "artificial intelligence" at all.

The CPPA provides a clear, three-part test for what constitutes meaningful human involvement. The human reviewer must (1) know how to interpret the technology's output, (2) affirmatively review the output to make a decision, and (3) have the actual authority to make or change the technology's decision based on their own analysis.

Important for operations is that businesses must provide pre-use noticeof ADMT when used to make a significant decision concerning the consumer, as well as provide for a consumer's ability to opt out of and appeal ADMT.

Cybersecurity Audits

The new regulations require annual cybersecurity audits for businesses that are deemed to present a "significant risk" to consumer privacy. This determination is tied to the scale of a business's operations relating to California consumers, so upfront factual diligence is required.

The audit can be internal or external, but it must be independent. An internal auditor cannot be the individual responsible for the business's cybersecurity program (e.g., the CISO), and the highest-ranking auditor within the business must report directly to a member of the executive management team who does not have direct responsibility for the cybersecurity program. While the full audit report does not need to be submitted to the CPPA, executive management must file an annual certified report to the CPPA confirming that the audit was completed.

The CCPA previously included a vague requirement for businesses to maintain "reasonable security." The new regulations give this standard a concrete, auditable definition by requiring audits that evaluate programs against something akin to "industry standards." This shifts the burden of proof onto the business to show that its security practices are not only reasonable but have been validated by an independent professional.

It may be possible to leverage existing audits frameworks, like NIST CSF 2.0 or SOC 2 Type II.

Revenue Bracket Compliance Deadline Audit Period Covered
Annual revenue of more than $100 million April 1, 2028 2027
Annual revenue between $50 million and $100 million April 1, 2029 2028
Annual revenue under $50 million April 1, 2030 2029

After April 1, 2030, the cybersecurity audit becomes an annual obligation for any business that meets the criteria at the start of each year.

Data Protection Risk Assessments

While these detailed obligations regarding risk assessments are new to the CCPA, these concepts have been found in other U.S. state privacy regulation and globally for years now.

Businesses must conduct and maintain formal risk assessments for any high-risk data processing activities, such as selling or sharing personal information; processing sensitive personal information; using ADMT for significant decisions; profiling individuals in sensitive contexts; and using consumer data to train ADMT, facial recognition, or other biometric technologies.

While full risk assessments are not submitted to the CPPA, executive management must provide annual certified reports summarizing the completed assessments.

Category Cybersecurity Audit Risk Assessment
Triggering Criteria Revenue/Data Thresholds High-Risk Activities
Specific Triggers 1. 50%+ revenue from selling/sharing personal information OR 2. Annual gross revenue > $25M AND processes > 250k consumers' personal information or > 50k consumers' sensitive information. 1. Selling or Sharing personal information OR 2. Processing sensitive personal information OR 3. Using ADMT for significant decisions OR 4. Profiling in sensitive contexts (like employment and education) OR 5. Using personal data to train ADMT for significant decisions or biometric systems.
Purpose To evaluate the effectiveness of a business's cybersecurity program. To restrict or prohibit processing if privacy risks outweigh benefits, and to document proactive measures.
Reporting Annually, by April 1, a member of the business's executive management team must provide a written certification that the business completed the cybersecurity audit for the previous year. Annually, by April 1, a member of the business's executive management team must provide information and metrics about the risk assessments performed in the relevant time frame.

Other Items of Note

Many of the smaller edits are codifying enforcement interpretations and aligning with more recent privacy legislation trends, but not all:

  • Neural data has been added to the definition of "sensitive" personal information.
  • Dark pattern examples established in recent CPPA enforcement actions have been codified.
  • Clarifying that use of a broad website terms of use or similar documents cannot be used to secure "consent" for data processing.
  • Right to limit use of sensitive personal data must be presented with the sensitive personal data collection.
  • Businesses must provide a way for consumers to verify that sensitive personal data maintained by the business is accurate without disclosing that data in writing (e.g., over the phone).
  • Service providers must cooperate with a customer business's cybersecurity audit by making available "all relevant information."
  • Businesses that touch more than 10,000,000 California consumers in a given year must publicly report ADMT consumer request statistics.

Action Items

  • Form a Council. CCPA compliance no longer belongs to an individual stakeholder. It requires multi-disciplinary collaboration of stakeholders from IT, data, privacy, legal, HR, and marketing.
  • Brief your Executives. Following the national trend, the CPPA is looking to make the individuals at the very top of an organization directly responsible for compliance and related foul-ups.
  • Don't trust your AI labels. The ADMT requirements apply to technologies that may not be considered "artificial intelligence" within your organization. Every important decision-making workflow that doesn't have a human being at the decision point must be evaluated.
  • Scope Out How to Comply with Cyber Audit Requirements. Internal risk assessments are routine by now, but an independent cybersecurity audit is no small task. Inventory current audits and both internal and external personnel to identify who can perform this obligation.
  • Scope Out How to Comply with ADMT Requirements.Pre-existing deployments of ADMT are not exempt from new obligations. While a compliance buffer has been included, constructing and rolling out a pre-notice program that also permits access, opt-outs and appeals will take time. Reach out to your AI vendors now to discuss how to implement the new requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Matthew Hays
Matthew Hays
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More