/>i
On September 23, 2025, the California Privacy Protection Agency (“CPPA”) announced that the California Office of Administrative Law approved the new California Consumer Privacy Act (“CCPA”) regulations on cybersecurity audits, risk assessments, automated decision-making technology (“ADMT”), and insurance companies, with staggered deadlines for compliance.
As noted by the CPPA, the approval marks the culmination of several years of industry and public engagement including multiple hearings and hundreds of public comments.
The regulations take effect on January 1, 2026; however, the deadlines for compliance are staggered for different requirements and business types.
Cybersecurity Audits
Businesses required to complete cybersecurity audits must submit certifications to the CPPA as follows:
| Business Type | Certification Deadline |
| Businesses making over $100 million | April 1, 2028
|
| Businesses making between $50 million and $100 million | April 1, 2029
|
| Businesses making less than $50 million | April 1, 2030
|
Risk Assessments
Businesses subject to risk assessment requirements must begin their compliance by January 1, 2026, and by April 1, 2028, they must submit to the CPPA:
- An attestation that the required risk assessments were completed; and
- A summary of their risk assessment information.
ADMT
Businesses using ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027.
