California Privacy Protection Agency Releases Updated Regulations: What’s Next?
Thursday, May 15, 2025
Print Mail Download info_icon_img/>i

This month, the California Privacy Protection Agency (CPPA) Board discussed updates to the California Consumer Privacy Act (CCPA) draft regulations related to cybersecurity audits, risk assessments, automatic decision-making technology (ADMT), and insurance.

The CPPA received comments on the first draft of the regulations between November 22, 2024, and February 19, 2025, and the feedback was provided at last month’s board meeting.

Based on the discussions at last month’s meeting, the CPPA made further revisions to the draft, which include the following:

  • Definition of ADMT: ADMT will no longer include technology that ONLY executes a decision or substantially facilitates human decision-making; the definition will only include technology that REPLACES or substantially replaces human decision-making.
  • Definition of Significant Decision: Risk assessments and ADMT obligations are triggered by certain data processing activities that lead to “significant decisions” that affect a consumer; the updated draft no longer includes decisions that determine “access” to certain services as triggering events. However, financial or lending, housing, education, employment, and independent contracting services constitute services that implicate whether a significant decision is being made about a consumer; insurance, criminal justice services and essential goods and services were removed from the list of services in the latest draft.
  • First-Party Advertising: Under the updated draft, companies are not required to conduct risk assessments or comply with the ADMT obligations simply because they profile consumers for behavioral advertising (i.e., first-party advertising does not trigger these requirements under the new draft).
  • ADMT Training and Personal Information: Companies will only be required to conduct a risk assessment if they process personal information to train ADMT for specific purposes.
  • Sensitive Location Profiling: Companies will not be required to conduct a risk assessment simply because they profile consumers through systematic observation in publicly accessible spaces; they will only have to adhere to the risk assessment requirement if the company profiles a consumer based on the individual’s presence in a “sensitive location” (i.e., healthcare facilities, pharmacies, domestic violence shelters, food pantries, housing or emergency shelters, educational institutions, political party offices, legal services offices, and places of worship).
  • Artificial Intelligence: The updated draft does not refer to “artificial intelligence” (AI) and AI terminology has been removed. However, AI systems would fall under the definition of ADMT and be subject to the other requirements under the updated regulations.
  • Cybersecurity Audits: If a company meets the risk threshold, the first cybersecurity audit must be completed as follows:
    • April 1, 2028, if the business’s annual gross revenue for 2026 is more than $100 million.
    • April 1, 2029, if the business’s annual gross revenue for 2027 is at least $50 million but no more than $100 million.
    • April 1, 2030, if the business’s annual gross revenue for 2028 is less than $50 million.

Thereafter, if a company meets the risk thresholds under the law, it must conduct a cybersecurity audit annually, irrespective of gross annual revenue.

  • Submission of Risk Assessments: Under the updated draft, companies no longer have to submit their risk assessments to the CPPA; alternatively, the company must provide an attestation and a point of contact for the company. Such documentation is due to the CPPA by April 1, 2028, for risk assessments completed in 2026 and 2027; after 2027, the documentation must be submitted by April 1 of the year following any year the risk assessment was conducted.

So, what’s next?

  • The CPPA initiated another public comment period, ending on June 2, 2025.
  • The CPPA MUST finalize the draft regulations by November 25, 2025:
    • If the CPPA files the final regulations by August 31, 2025, then the updates will take effect on October 1, 2025;
    • If the CPPA files the final regulations AFTER August 31, 2025, then the updates will take effect on January 1, 2026.
Copyright © 2025 Robinson & Cole LLP. All rights reserved.

Current Public Notices

Current Legal Analysis

More from Robinson & Cole LLP

Generative AI Training May Not Qualify for the Fair Use Defense
by: Daniel J. Lass
Privacy Tip #443 – Fake AI Tools Used to Install Noodlophile
by: Linn F. Freedman
The VPPA: The NBA and NFL Ask SCOTUS to Referee
by: Roma Patel
Employees Hiding Use of AI Tools at Work
by: Linn F. Freedman
Ascension Notifies 430,000 Patients of Data Breach
by: Linn F. Freedman
Todd Snyder Fined for Technical CCPA Violations
by: Kathryn M. Rattigan
The Importance of Indemnification Clauses in Managing Post-Completion Project Risk
by: Catherine A. Maronski
States Sue Trump Administration Over Blocked Wind Developments
by: Peter R. Knight
Administrators May Change, But PFAS Is Forever: EPA Announces PFAS Plan
by: Jonathan H. Schaefer , Megan Baroni
U.S. Supreme Court Denies DSH Hospitals’ Attempts to Seek Higher Medicare Payments
by: Conor O. Duffy
SAP NetWeaver Visual Composer Requires Urgent Patch
by: Linn F. Freedman
PIH Health Settles HIPAA Violations for $600,000
by: Linn F. Freedman
The VPPA: An Old Law with New Streams
by: Roma Patel

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters