On July 24, 2025, the California Privacy Protection Agency (CPPA) Board unanimously approved amendments to the California Consumer Privacy Act (CCPA). These substantial changes include new compliance obligations for businesses subject to the CCPA. Significantly, the updates emphasize the CPPA’s new regulatory focus on artificial intelligence (AI) decisionmaking and cybersecurity in addition to privacy. The CPPA opted to open the Delete Request and Opt-Out Platform (DROP) regulations for further public comment on its proposed changes. A breakdown of the key updates and what they mean for regulatory compliance is below.
Automated Decisionmaking Technology
Definitions
This final version of the CCPA text does not include AI as a defined term. Instead, the new regulations introduce a new term, “automated decisionmaking technology” (ADMT), which means “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.”
The text further defines “substantially replace human decisionmaking” to mean that “a business uses the technology’s output to make a decision without human involvement.” In November 2024, when the CPPA initially proposed these amendments, the language read “substantially facilitate human decisionmaking.” The shift to the term “replace” in the final text indicates that the CPPA is more concerned with businesses using ADMT instead of human decisionmaking. That is, the new regulations aim to target use cases of ADMT that lack human involvement. The new text further clarifies that human involvement would require the human reviewer to:
- Know how to interpret and use the technology’s output to make the decision;
- Review and analyze the output of the technology and any other information relevant to make or change the decision; and
- Have the authority to make or change the decision based on their analysis above.
The text clarifies that ADMT includes profiling, but does not include web hosting, domain registration, antivirus, spellchecking, and databases and spreadsheets, provided that they do not replace human decisionmaking—this clarifier is crucial. A marketing team might use Visual Basic for Applications (VBA) macros in a spreadsheet to analyze customer data such as purchase frequency and total spent. The macro uses the data to automatically classify customers into tiers and to generate a targeted email list for each tier. Without human involvement (as defined by the new text), this decisionmaking might be considered ADMT.
Consumer Rights Related to ADMT
The updated CCPA regulations provide consumers with rights related to ADMT and impose obligations on businesses to inform consumers of these rights. These “new” rights extend on rights that consumers already had under the CCPA with respect to the processing of their personal information, such as the right to opt-out and the right to access. In essence, a business’s use of ADMT adds a new category of information for which the consumer already possesses CCPA rights, but requires the business to be transparent with the consumer about the use of ADMT and provide mechanisms for consumers to exercise their CCPA privacy rights.
In this context, businesses must enable consumers to opt out of the use of ADMT to make significant decisions about them. Significant decisions are decisions that result in the provision or denial of financial or lending services, housing, education enrollment/opportunities, employment opportunities, or healthcare services. Businesses must provide consumers with two or more methods of submitting requests to opt out of ADMT. Businesses that interact with consumers online must, at a minimum, allow consumers to submit requests through an online interactive form.
In addition, businesses must provide consumers with access to information about the business’s use of ADMT to make a significant decision about the consumer. In responding to a consumer’s request to access ADMT, a business must explain the specific purpose for which it uses ADMT, the logic of the ADMT, and the outcome of the decisionmaking process for the consumer. Businesses have 45 days to respond to a request to access or appeal ADMT.
Pre-use notice
The new regulations require a business that uses ADMT to provide consumers with a pre-use notice that informs consumers about the business’s use of ADMT and consumers’ rights related to ADMT. A pre-use notice may be provided in a business’s Notice at Collection. The pre-use notice must explain, in plain language, what the business plans to use ADMT for and a description of the consumer’s right to opt out of ADMT. The notice must also include how the ADMT works to make a significant decision about consumers and how the decision would be made if the consumer opts out of ADMT, unless the business provides the consumer with a method to appeal the decision that involves human review with human authority to overturn the ADMT decision.
Timeline for Compliance
Businesses that use ADMT prior to January 1, 2027, must comply with the ADMT requirements no later than that date.
Cybersecurity Audit
In many ways, the new regulations show that the regulatory line between enforcing privacy and cybersecurity is becoming increasingly blurred. The CCPA final text manifests the CPPA’s intent to regulate businesses’ privacy and cybersecurity programs. Significantly, the regulations introduce an annual cybersecurity audit requirement for businesses that meet a certain threshold. This audit must assess how the business’s cybersecurity program protects consumer personal information from unauthorized access and disclosure. Components of a cybersecurity program that fall into the audit’s scope include the business’s cybersecurity measures, such as authentication, access controls, inventory management, secure hardware and software configurations, network monitoring, and cybersecurity education.
The audit must be conducted by a “qualified, objective, [and] independent” professional who has knowledge of cybersecurity and how to audit an organization’s cybersecurity program. An internal auditor can be used, but to maintain their independence, an internal auditor must report directly to a member of the organization’s business executive team who does not have direct responsibility for the organization’s cybersecurity program. Regardless of whether the auditor is internal or external to the business, the business must make all relevant information and facts available to the auditor. The final audit report must be signed by the highest-ranking auditor with a certification statement affirming that their review was independent, objective, and impartial.
The audit report must identify the organization’s relevant policies, procedures, and practices, as well as the criteria used by the auditor. The report must also identify the specific evidence used to make the decisions and explain why the evidence justifies the auditor’s findings. The report must outline, in detail, gaps or weaknesses in the organization’s policies or cybersecurity program components that the auditor believes will increase the risk of unauthorized access or activity.
A cybersecurity audit used for another purpose, such as an audit that uses the NIST Cybersecurity Framework 2.0, may be used for this audit purpose, provided that it meets all the requirements outlined in the CCPA.
The timeline for completion of the initial cybersecurity audit depends on the business’s revenue for the previous years. All businesses must complete this audit by April 1, 2030, but some will be required to do so by April 1, 2028, depending on income. Businesses are required to submit a certificate of completion to the CPPA annually.
Pre-Processing Risk Assessment
Under the new regulations, any business that poses a significant risk to consumers’ privacy in processing personal information must conduct a risk assessment before initiating that processing. The goal of a risk assessment is to restrict or prohibit the processing of personal information if the resulting privacy risks to the consumer outweigh the benefits to the business and other stakeholders. Businesses must conduct and document a risk assessment before initiating any processing activity and must update a risk assessment whenever there is any material change to a processing activity.
The CCPA outlines several activities that are deemed to present significant risk, including selling or sharing personal information and processing sensitive personal information. This is an expansive definition, because most businesses, in some way, share personal information with third parties. The CCPA also sets forth certain scenarios where using automated processing to extrapolate a consumer’s intelligence presents significant risk. Using ADMT for significant decisions concerning a consumer or using consumer personal information to train an ADMT is also considered to present a significant risk.
Risk assessments must document a business’s purpose for processing consumer personal information and the benefits to the organization of that processing. The CCPA requires these descriptions to be made in specific terms. The CCPA does not consider vague descriptions such as “to improve services” or “for security purposes” to be specific, and businesses must identify the precise improvements or security reasons for which the information is being processed.
Risk assessments must also document the categories of information to be processed, including any categories of sensitive personal information. They must also include operational elements of processing, such as expected retention of information, what disclosures the business plans to make to the consumer, and the logic and output of any ADMT, if used. In addition, the risk assessment must also consider the negative impacts of processing on consumers’ privacy, including unauthorized access to their information, discrimination, or impairing consumers’ control over their information. The business must further identify safeguards it plans to implement for the processing, such as encryption and privacy-enhancing technologies.
Risk assessments must be reviewed and updated once every three years. If there is a material change in processing activity, a risk assessment should be updated as soon as possible, but no later than 45 calendar days from the change. For risk assessments conducted in 2026 and 2027, businesses must submit an attestation to the CPPA by April 1, 2028. The individual submitting the risk assessment attestation must be a member of the business’s executive management team who is directly responsible for, and has sufficient knowledge of, the business’s risk assessment compliance. Risk assessments must be maintained for as long as the processing continues or for five years after completion, whichever is later, and available for inspection by the CPPA or the Attorney General.
Insurance
The final CCPA changes also include clarification of the law’s application to insurance companies. Insurers are required to comply with the CCPA for personal information collected outside of an insurance transaction. The final text provides an example whereby if an insurance company collects personal information of website visitors who have not applied for any insurance product or service to tailor personalized advertisements to those users, the insurer must comply with the CCPA with respect to that information. Insurers must also comply with the CCPA with respect to processing employees’ personal information. Since most websites use some form of tracking technologies, and since all employers collect their employees’ personal information, insurance companies should assess their compliance with the CCPA promptly.
Other Notable Changes
- Neural data – The CCPA’s definition of sensitive personal information now includes a consumer’s neural data. As health technology devices and applications become more advanced, this addition reflects the CPPA’s contemplation of novel risks associated with data derived from consumers’ nervous systems.
- Conspicuous links on websites – The new text clarifies that any conspicuous link required under the CCPA should be present on any internet page where personal information is collected. For mobile apps, the conspicuous link must also be accessible within the application, such as through the application’s settings menu. For businesses only displaying such links on their homepages, this clarification imposes an additional compliance obligation.
- Choice architecture – The CCPA includes a provision against choice architecture that impairs or interferes with a customer’s ability to make a choice. The new text adds a clarifying example that acceptance of the general terms of use that contain descriptions of personal information processing, along with other unrelated information, is a type of choice architecture because it prevents a user from freely giving specific and informed consent.
- Clarification to right to limit – The new text explains that a business’s notice of the Right to Limit must be provided in the same manner in which the business collects the sensitive personal information. For example, if the business collects information at its brick-and-mortar store, the notice should be provided via an offline method. If a business uses sensitive personal information through a connected device, it should provide notice so that the consumer encounters the notice before or at the time the device begins collecting the sensitive personal information.
- Service providers and the right to know – Businesses already had to identify the categories of personal information and categories of third parties to whom a business sold or disclosed personal information. The new text also requires businesses to identify categories of service providers or contractors to whom the business disclosed personal information.
- Opt-out confirmation – Businesses must provide a means by which a consumer can confirm that their request to opt out has been processed by the business, such as displaying an “Opt-out request honored” message. Businesses should work with their consent management platforms to enable such a feature if not already enabled.
- Service providers – The CCPA already provided that service providers and contractors may not use personal information except for specific reasons, such as the specific business purpose outlined in the contract between the provider/contractor and the business, and for subcontracting. The new text specifies that any such use or disclosure must be reasonably necessary and proportionate for those purposes. For example, if a subcontractor only needs a certain subset of information, providing them access to an entire dataset may not be reasonably necessary and could violate this provision.
Next Steps
The California Office of Administrative Law (OAL) still needs to review and approve these amendments. The OAL has 30 business days after receiving the final text from the CPPA to do so. However, many industry experts expect that the OAL will only make minor, if any, changes. The regulations take effect in 2027, so preparation for these new compliance obligations should be a top priority. CPPA’s next meeting is September 26, 2025, where it is expected to present its annual enforcement report and priorities.