On July 24, 2025, the California Privacy Protection Agency (“CPPA”) cleared a long-awaited rulemaking package by a 5-0 vote, adopting rules on automated decision-making technology, risk assessments, cybersecurity audits, and updates to the California Consumer Privacy Act (“CCPA”) regulations. The rulemaking package will now be submitted to the California Office of Administrative Law, which will have 30 business days to decide if the rules may become final.
If finalized, businesses will need to comply with the new regulations by the following deadlines:
- ADMT Regulations: January 1, 2027.
- Security Audits:
- For businesses with over $100 million in gross revenue: April 1, 2028.
- For businesses with between $50 million and $100 million in gross revenue: April 1, 2029.
- For businesses with under $50 million in gross revenue: April 1, 2030.
- Risk Assessment Reports: April 21, 2028.
The major changes are summarized below:
Automated Decision Making
“Automated decisionmaking technology” or “ADMT” is defined in the new regulations as any technology that processes personal information and uses computation to replace human decision making or substantially replace human decision making. See § 7001(e). For purposes of this definition, to “substantially replace human decision making” means a business uses the technology’s output to make a decision without human involvement.
ADMT includes profiling but does not include web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam- and robocall-filtering, spellchecking, calculators, databases, and spreadsheets, provided that they do not replace human decision making.
The new regulations impose extensive obligations on businesses that use ADMT to make “significant decisions” concerning a consumer, including requiring businesses to allow consumers to access ADMT, opt-out of the use of ADMT, and appeal ADMT. The regulations define a “significant decision” as a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.
Pre-Use Notice
A business that uses ADMT to make a significant decision concerning a consumer must provide consumers with a Pre-Use Notice at or before the point when the business collects the consumer’s personal information that it plans to process using ADMT. If a business has already collected the consumer’s personal information for a different purpose and subsequently plans to process it using ADMT, the business must provide a Pre-Use Notice before processing the consumer’s personal information for that purpose.
The Pre-use Notice must contain the following:
- A plain language explanation of the specific purpose for which the business plans to use the ADMT – this cannot be described in generic terms, such as “to make a significant decision”.
- A plain language explanation of how the ADMT processes personal information to make a significant decision about consumers, including the categories of personal information that affect the output generated by the ADMT, the type of output generated by ADMT, and how that output is used to make a significant decision.
- What the alternative process for making a significant decision is for consumers who opt out of the use of ADMT.
- Information regarding consumers’ rights to opt-out of ADMT and to access ADMT.
- A link through which consumers can opt-out of the business’s use of ADMT.
A business’s Pre-Use Notice is not required to include trade secrets, or information that would compromise the business’s ability to prevent, detect, and investigate security incidents, resist malicious, deceptive, fraudulent, or illegal actions directed at the business or at consumers, to prosecute those responsible for those actions, or ensure the physical safety of natural persons.
The Pre-Use Notice may be included in the Notice at Collection.
Privacy Policy
Additionally, if a business uses ADMT to make a significant decision concerning a consumer, the business’s Privacy Policy must include an explanation of the consumer’s right to opt-out of ADMT, the right to access ADMT, and the right not to be retaliated against for exercising the above rights, including when a consumer is an applicant to an educational program, a job applicant, a student, an employee, or an independent contractor. The Privacy Policy shall also include a general description of the process the business uses to verify a consumer request to access ADMT.
Requests to Access ADMT
A business that uses ADMT to make a significant decision must provide a consumer with information about this use when responding to a consumer’s request to access ADMT.
The business’s response must provide plain language explanations of the following:
- The specific purpose for which the business used ADMT with respect to the consumer, not to be described in generic terms.
- Information about the logic of the ADMT that enables a consumer to understand how the ADMT processed their personal information to generate an output with respect to them,
- The outcome of the decision-making process for the consumer, including how the business used the output of the ADMT to make a significant decision with respect to the consumer.
- If the business also plans to use the output to make an additional significant decision concerning the consumer in the future, the business’s explanation must include how the business plans to use that output to make a significant decision about the consumer in the future.
Human Review Exception for Opt-Outs
A business must generally provide consumers with the ability to opt-out of the use of ADMT to make a significant decision concerning the consumer. However, this opt-out right is not required if the business provides the consumer with a method to appeal the decision to a human reviewer who has the authority to overturn the decision.
To qualify for this exception, the business must do all of the following
- Designate a human reviewer to review and analyze the output of the ADMT and any other information that is relevant to change the significant decision at issue. The human reviewer must consider the relevant information provided by the consumer in support of their appeal and may consider any other sources of information about the significant decision. The human reviewer must also know how to interpret and use the output of the ADMT that made the significant decision being appealed and must have the authority to change the decision based on their analysis.
- Clearly describe to the consumer how to submit an appeal and enable the consumer to provide information to the human reviewer in support of their appeal.
- Comply with the relevant disclosures, timelines, and verification requirements set forth in the regulations.
Timelines for Responding to Consumer Requests
A business shall confirm receipt of a request to access ADMT or request to appeal ADMT no later than 10 business days after receiving the request. The business shall also provide information about how the it will process the request, including a description of the business’s verification process and when the consumer should expect a response.
Businesses shall respond to a request to access ADMT and request to appeal ADMT no later than 45 calendar days after receipt of the request, extendable by an additional 45 calendar days with notice to the consumer.
Additional Requirements for Businesses Collecting Large Amounts of Personal Information
If a business processes the personal information of 10,000,000 or more consumers in a calendar year, it will also be required to compile the following metrics for the previous calendar year:
- The number of requests to access ADMT that the business received, complied with in whole or in part, and denied, and
- The number of requests to opt-out of ADMT that the business received, complied with in whole or in part, and denied.
Cybersecurity Audits
Every business whose processing of consumers’ personal information presents “significant risk” to consumers’ security must complete a cybersecurity audit.
A business’s processing of consumers’ personal information presents significant risk to consumers’ security if:
- The business derived 50 percent or more of its annual revenue from selling or sharing consumers’ personal information in the preceding calendar year; or
- The business had annual gross revenues in excess of $26,625,000 in the preceding calendar year; and
- Processed the personal information of 250,000 or more consumers or households in the preceding calendar year; or
- Processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year.
The regulations set forth extensive requirements to ensure the thoroughness and independence of audits. Every business required to complete a cybersecurity audit must do so using a qualified, objective, and independent auditor using procedures and standards accepted in the profession, such as procedures and standards provided or adopted by the American Institute of Certified Public Accountants, the Public Company Accountability Oversight Board, the Information Systems Audit and Control Association, or the International Organization for Standardization. To be qualified, an auditor must have knowledge of cybersecurity and how to audit a business’s cybersecurity program.
If a business uses an internal auditor, the highest-ranking auditor must report directly to a member of the business’s executive management team who does not have direct responsibility for the business’s cybersecurity program. A member of the business’s executive management team who does not have direct responsibility for the business’s cybersecurity program must conduct the highest-ranking auditor’s performance evaluation, if any, and determine the auditor’s compensation.
A business may utilize a cybersecurity audit, assessment, or evaluation that it has prepared for another purpose, provided that it meets all of the requirements of regulations, either on its own or through supplementation.
Risk Assessments
Every business whose processing of consumers’ personal information presents “significant risk” to consumers’ privacy must conduct a risk assessment before initiating that processing.
The following processing activities present significant risk to consumers’ privacy:
- Selling or sharing personal information.
- Processing sensitive personal information, except if the business processes the sensitive personal information of its employees or independent contractors solely and specifically for administering compensation payments, determining and storing employment authorization, administering employment benefits, providing reasonable accommodation as required by law, or wage reporting as required by law.
- Using ADMT for a significant decision concerning a consumer.
- Using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, location, or movements, based upon systematic observation of that consumer when they are acting in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor for the business.
- Using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, or movements, based upon that consumer’s presence in a sensitive location.
- Processing the personal information of consumers, which the business intends to use to train an ADMT for a significant decision concerning a consumer; or train a facial-recognition, emotion-recognition, or other technology that verifies a consumer’s identity, or conducts physical or biological identification or profiling of a consumer.
A business must conduct a risk assessment to determine whether the risks to consumers’ privacy from the processing of personal information outweigh the benefits to the consumer, the business, other stakeholders, and the public from the processing. The findings must be included in a comprehensive risk assessment report.
A business must review and update its risk assessments at least once every three years. If there is a material change relating to the processing activity, a business must immediately update its risk assessment as soon as feasibly possible, but no later than 45 calendar days from the date of the material change.
A business must retain its risk assessments, including original and updated versions, for as long as the processing continues or for five years after the completion of the risk assessment, whichever is later.
What Businesses Should Do Now
To stay ahead of enforcement, businesses should begin preparing immediately:
- Evaluate your data processing for risk assessment or audit triggers.
- Develop or update cybersecurity policies to align with the new standards.
- Review ADMT systems and determine whether they fall under the new scope.
- Update consumer-facing disclosures and opt-out mechanisms.
- Document risk assessments for profiling or sensitive data use cases.
You can read the proposed regulations here.
