CPPA Proposes Key Updates to Cybersecurity, Risk Assessment and ADMT CCPA Regulations Following Public Comment
Thursday, April 10, 2025
Print Mail Download info_icon_img/>i

The California Privacy Protection Agency (“CPPA”) recently released modified draft California Consumer Privacy Act regulations (“CCPA Regs.”) in response to public feedback, with a focus on the sections addressing cybersecurity audits, risk assessments, automated decisionmaking technology (“ADMT”) and sensitive data.

Cybersecurity Audits

New Definition of “Cybersecurity Audit Report”: The updated CCPA Regs. adds a definition of “cybersecurity audit report,” clarifying that the term refers to the specific documentation required as part of a business’s annual cybersecurity audit required under Article 9 of the CCPA Regs. (CCPA Regs. Sect. 7001(n)).

Expanded Scope of “Information Systems”: The definition of “information system” was revised to explicitly include service providers’ or contractors’ systems used on behalf of the business. This ensures businesses account for third-party environments when assessing cybersecurity risk. (CCPA Regs. Sect. 7001(w)).

Deadline-Specific Requirements for First Cybersecurity Audit: The updated CCPA Regs. include deadlines by which a business must complete its first cybersecurity audit, which is dependent upon when a business determines its processing activities present significant risk to consumers’ security. (CCPA Regs. Sect. 7121(a)).

Scope and Documentation of Cybersecurity Audits: The updated CCPA Regs. clarify that auditors may include recommendations “separate from articulating audit findings,” helping delineate reporting expectations. (CCPA Regs. Sect. 7122(a)(1)). The Regs. also include examples of what how a cybersecurity audit report must describe the audit’s scope (e.g., the processes, activities and components of the information system assessed), and extend the requirement to retain documents to both the business and the business’s auditor. (CCPA Regs. Sects. 7122(d), (j)).

Risk Assessments: Updates to Roles, Disclosures and Safeguards

Responsible Personnel and Decisionmakers: The updated CCPA Regs. now require that risk assessments identify not only the individuals who reviewed or approved the assessment but also the individual with the authority to determine whether the business will proceed with the associated data processing activity. (CCPA Regs. Sect. 7152(a)(9)).

Timing for Risk Assessments: The updated CCPA Regs. establish a calendar deadline for conducting risk assessments for data processing activities that began prior to the updated regulations’ effective date but continue afterward. (CCPA Regs. Sect. 7155(c)).

Automated Decisionmaking Technology (“ADMT”)

Consumer Rights and Business Obligations: The updated CCPA Regs. specify that, upon a consumer’s opt-out request, businesses must notify service providers and contractors of the specific ADMT use for which the consumer opted out. (CCPA Regs. Sect. 7221(n)(2)).

Removed Requirement to Document “Quality of Personal Information” in ADMT Risk Assessments: The CPPA removed a provision that would have required businesses to assess and document the quality of personal information (e.g., the accuracy, reliability and consistency of the information) used in ADMT or artificial intelligence (“AI”) systems. (CCPA Regs. Sect. 7152(a)(2)(B)).

Expanded Definitions of Sensitive Data Categories

Addition of “Neural Data”: The definition of “sensitive personal information” was revised to include “neural data,” aligning with other states’ emerging concerns around brain-computer interface technologies. (CCPA Regs. Sect. 7001(ddd)).

Exemption for Non-Identifiable Physical/Biological Traits: The CPPA added an exception to the definition of “physical or biological identification or profiling,” excluding traits that cannot be linked to a specific consumer. (CCPA Regs. Sect. 7001(hh)).

Notice at Collection – AR/VR and Device-Based Interactions

Timing Flexibility for Notice in New Environments: The updated CCPA Regs. allow businesses to provide notice either before or “at the time” a device begins collecting personal information that the business sells or shares. (CCPA Regs. Sects. 7013(e)(3)(C), (D). This change accommodates more dynamic and immersive tech environments.

Enforcement and Simplification Measures

Removed Requirements for Agency Complaint Information: The CPPA removed the obligation to inform consumers about their ability to file complaints with the CPPA or Attorney General.

Deleted Redundancies and Technical Burdens: Several provisions were struck to streamline requirements, including § 7023(f)(3), which previously required businesses to notify others that a consumer contests certain personal data accuracy claims.

Businesses subject to the CCPA should review these changes carefully, ensure internal alignment with new deadlines and definitions, and prepare for continued rulemaking as the CPPA moves toward finalizing these updates.

Copyright © 2025, Hunton Andrews Kurth LLP. All Rights Reserved.

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF DISPOSITION OF COLLATERAL: GeneralHealth Group Inc.
Published: 8 April, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: LQD LOANS TWO, LCC
Published: 7 April, 2025
PUBLIC NOTICE OF RECEIVERS SALE: Gladstone Food Products
Published: 7 April, 2025
PUBLIC NOTICE OF UCC SALE: CCP Mezzanine Nashville I, LLC
Published: 4 April, 2025
PUBLIC NOTICE OF CHAPTER 11 SALE: S&G Hospitality, INC
Published: 1 April, 2025
PUBLIC NOTICE OF RECEIVER’S SALE: LANDSCAPING SUBCONTRACTOR
Published: 31 March, 2025
PUBLIC NOTICE OF 363 SALE: Elmer Buchta Trucking
Published: 31 March, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: PHILLIPS AMSTERDAM II LLC
Published: 31 March, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: True North Services, LLC
Published: 24 March, 2025
PUBLIC NOTICE OF AUCTION OF ASSETS: LARRY J. WINGET LIVING TRUST
Published: 24 March, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Burke Decor, LLC
Published: 20 March, 2025
PUBLIC NOTICE OF UCC SALE: Shoreview UCC
Published: 24 February, 2025
PUBLIC NOTICE OF UCC SALE: 285 Madison Mezzanine LLC
Published: 17 February, 2025
Discover more public notices

Current Legal Analysis

More from Hunton Andrews Kurth

Washington State Enacts Antitrust Pre-Merger Notification Act
by: Kevin Hahm , Bennet Sooy
NIST Finalizes Cyber Attack Guidance for Adversarial Machine Learning
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Executive Order Seeks to Reinvigorate Domestic Coal Production
by: Martin P. Stratte , Joanna D. Enns
Executive Order Seeks to Increase Domestic Coal Production
by: Joanna D. Enns , Martin P. Stratte
Department of Justice Changes Course on Digital Assets
by: Scott H. Kimpel
Notice to Employers: The EEOC Is Targeting Anti-American Bias
by: Kevin J. White , Alyce Ogunsola
New Ruling Reinforces Limits on Automatic Stay Waivers
by: Gregory G. Hesse , Ross Rubin
Entrance to [Copyright] Paradise Halted by the Human-Authorship Requirement
by: Jonathan D. Reichman
US Customs and Border Protection Issues Guidance on Reciprocal Tariffs
by: Kevin E. Gaunt
Significantly Tailored Back, CTA Now Only Requires BOI Reporting For “Foreign Reporting Companies” and Non-US Persons
by: Carleton Goss , Kevin E. Gaunt
The End of the Corporate Transparency Act Regime for Domestic Companies
by: Scott H. Kimpel , Alexander Abramenko
DOJ Final Rule on Bulk Transfer of Sensitive U.S. Personal and Government Data to Countries and Persons of Concern Goes Into Effect
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
SEC Staff Issues Statement on Stablecoins
by: Scott H. Kimpel

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters