The California Privacy Protection Agency (CPPA) Board met on July 24, 2025, and advanced several key initiatives with direct implications for businesses operating in California.

The meeting focused on finalizing regulations pertaining to automated decision-making, risk assessments, and cybersecurity audits; advancing the California Delete Act’s Delete Request and Opt-Out Platform (DROP) rulemaking applicable to data brokers; and reviewing budget and legislative updates.

With enforcement capacity continuing to grow, and in increase in 2025 in CCPA and Delete Act enforcement settlements, businesses should be preparing for more structured compliance expectations in 2026 and beyond.

The CPPA Advanced the Proposed Regulations on ADMT, Risk Assessments, Cybersecurity Audits for OAL Approval

The CPPA confirmed that it will move forward with the current version of its proposed regulations on automated decision-making technology (ADMT), privacy risk assessments, and cybersecurity audits, without further revisions following the most recent public comment period. The 24-day comment window — which exceeded the required 15 days — generated over 575 pages of submissions from 70 commenters, including labor advocates, consumer groups, and industry stakeholders.

After review, staff concluded that no further changes were warranted and that the existing draft “strikes an appropriate balance” between privacy protections and business needs. The public comments were sharply divided.

Labor and consumer advocacy groups criticized the regulations as a significant retreat from protecting workers and consumers and negatively impacting employment and worker’s rights.

In stark contrast, technology industry representatives argued that the regulations were overly broad and could harm California’s innovation economy.

Some industry group (such as healthcare and banking) representatives argued that the proposed regulations create unnecessary burdens for their federally regulated sectors and could potentially interfere with existing oversight mechanisms.

Additionally, multiple rideshare drivers provided personal testimonials about how automated decision-making technologies negatively impact their work through arbitrary deactivations and opaque performance evaluations. 

The full regulatory package will be submitted to the Office of Administrative Law (OAL), which has 30 business days to issue its determination. If approved, the regulations will become enforceable immediately (although in practice some, such as the cybersecurity audits, would technically not need to be completed until 2028) and form the basis for future compliance expectations in California, unless further court decisions intervene the enforcement date.

While not the focus of this meeting, the final version of the regulations incorporates changes made during earlier comment rounds, including:

• Phasing in the cybersecurity audit obligations based on a business’s gross annual revenue over a three-year period to reduce the immediate burden on smaller companies – meaning that businesses with more than $100M annual gross revenue (based on 2026) would start the audits first, while those in the $50M-$100M range and those below $50M would have an additional two years and one year, respectively, before the cybersecurity audit requirements kick in;
• Removing the behavioral advertising threshold that would have triggered ADMT requirements;
• Narrowing the definition of ADMT to encompass technology that replaces or substantially replaces human decision-making – excluding technology that merely executes a decision or substantially facilitates human decision-making; and
• Narrowing the scope of ADMT rules to apply only when used in “significant decisions” – i.e., those that result in provision or denial of financial or lending, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services. 

DROP Rulemaking: Modifications and Second Comment Round

The CPPA Board also advanced revisions to its proposed DROP regulations, which operationalize the Delete Act’s centralized opt-out and deletion mechanism that must be utilized by data brokers. Following a 45-day comment period in March 2025, the agency proposed updates and approved releasing them for an additional 15-day public comment period. Key changes include:

• Suppression List Requirements: Clarified authorization to retain limited consumer data for record-matching and to share suppression data with contractors.
• Residency Verification: CPPA will confirm California residency before processing deletion requests to data brokers.
• Data Standardization Requirements: Adjustments made to enable handling of multiple identifiers, improve partial match functionality, and refine consent standards.

The agency reiterated its goal of having final regulations in place and effective by January 1, 2026. The staff also addressed Board questions about matching complexity and the use of hashed data to improve system reliability.

Budget Update: Growing Operations, Uncertain Enforcement Funding

The CPPA currently has 43 permanent staff across 53 authorized positions, with a growing emphasis on bringing enforcement, legal, and procurement capabilities in-house. However, staff flagged an ongoing concern: enforcement funds are not guaranteed or consistent year-over-year, potentially complicating long-term planning for investigations and compliance oversight.

By contrast, funds tied to the Data Broker Registry are statutorily earmarked for building and maintaining the DROP system. This distinction may signal the agency’s continued enforcement activities, and to ramp up enforcement as regulatory obligations expand after the Proposed Regulations on ADMT, Risk Assessments, Cybersecurity Audits becomes effective.

Legislation: Supportive Measures with Potential Business Impact

The CPPA reviewed and took positions on several privacy-related bills, including

• AB 322 – Restricts collection and sale of precise geolocation data. Agency Position: Support.
• AB 566 – “California Opt Me Out Act,” requiring browsers to enable global privacy control signals. Agency Position: Support.
• AB 302 – Requires CPPA to maintain lists of elected officials and judges for special deletion handling. Agency Position: Support if amended, citing feasibility and verification concerns.