0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

CCPA Draft Regulations Sent for Final Approval

California, CCPA, Cybersecurity , , ,
On July 24, 2025 the California Privacy Protection Agency (CCPA) board voted 5-0 to finalize Draft Regulations to the California Consumer Privacy Act (CCPA). The CPPA sent the rulemaking package to the Office of Administrative Law, which has 30 days to approve the regulations. The rulemaking process for these Draft Regulations began in 2022, and while the regulations have been narrowed since the prior proposal, the Draft Regulations will significantly impact how companies manage automated decisionmaking technology (ADMT), conduct risk assessments, and implement cybersecurity audits. Additionally, California’s regulatory process requires the CCPA to respond to public comments with their rationale for accepting or rejecting the suggestion. This requirement provides additional context and guidance for interpreting the intent of the Draft Regulations as they go into effect. What’s New? A Summary of Key Changes The Draft Regulations contain significant changes from the prior proposal – along with a 9-page explanation of changes. Most notably, the Draft Regulations roll back several of the most highly debated elements, while streamlining and clarifying other requirements:
  • References to “Artificial Intelligence” have been removed, significantly tightening the scope of ADMT systems.
  • First-party advertising removed from ADMT definition, narrowing the requirements needed for this type of processing.
  • Risk assessments are streamlined, and the scope of the types of data processing activities that trigger risk assessments has been narrowed.
  • Cybersecurity audits are clarified, and the CPPA included a “cybersecurity audit report” which should be produced during the audit process.

ADMT: Narrower Definition, Clearer Application

The Draft Regulations significantly narrow the scope of ADMT systems. Previously, ADMT systems included any technology that “substantially facilitated” human decisionmaking. Now, the Draft Regulations limits ADMT to systems which “substantially replace” human decisions. In practical terms, this may mean that only technologies which operate without human review or override fall under the ADMT rules. Importantly, the CPPA also removed first-party behavioral advertising from the definition of ADMT. Previously, businesses raised strong concerns that including this category within the ADMT definition would impose unnecessary burdens on common advertising practices. Businesses also voiced that including first-party behavioral advertising in the definition of ADMT went beyond Proposition 24, which provides the basis for amending the CCPA.

Risk Assessments: Who, What, and When?

While risk assessments remain a key part of the Draft Regulations, the CPPA has refined when they apply and what they must include. Who Needs to Conduct a Risk Assessment? Under the Draft Regulations, covered businesses that fall under the California Consumer Privacy Act (CCPA) “whose processing…presents significant risk to consumers’ privacy” must conduct a risk assessment. However, the newest version of the Regulations narrows what processing activities present “significant risk.” These activities include but are not limited to:
  • Selling or sharing personal information, which may require specific contractual obligations per the CCPA and current CCPA Regulations.
  • Processing sensitive personal information, as defined in the CCPA, including financial information, precise geolocation, health information and children’s personal information.
  • Using automated decisionmaking technology for a “significant decision” concerning a consumer, including those that impact availability of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.
  • Using automated processing to profile a consumer through systematic observation when the individual is acting as an educational program application, job applicant, student, employee, or independent contractor for the covered business.
  • Using automated processing to profile a consumer based on their presence in a sensitive location, including healthcare facilities, domestic violence shelters, food pantries, housing/emergency shelters, educational institutions, political party offices, legal services offices, union offices, and places of worship.
  • Using personal information to train AI that could be used to make significant decisions concerning consumers, train facial- or emotional-recognition or other technology to verify a consumer’s identify or conducts physical or biological identification or profiling of a consumer.
While these risk assessments no longer apply to the previous expanded version of ADMT, they will apply to processing if the technology substantially replaces human decisionmaking for “significant decisions.” For example, if a covered business videotapes job interviews and uses AI to determine who to hire without human involvement, the covered business must conduct a risk assessment because of its use of ADMT for a significant decision concerning the consumer. What is Required for a Risk Assessment? As part of an effort to streamline and clarify the risk assessments required under the Draft Regulations, the CPPA defined a “risk assessment report” as the document that every covered business is required to create upon conducting the assessment. The CPPA provides a newly articulated goal for risk assessments: “[R]estricting or prohibiting the processing of personal information if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public.” Additionally, the addition of the risk assessment report and changes in requirements may ease compliance efforts. To complete a risk assessment, a covered business should document, among other things:
  • The purpose of processing, the types of data involved, and any sensitive categories of personal information.
  • How the business plans to use the data, or otherwise collect, disclose or process the information, along with the retention period for the information.
  • How the business interacts with consumers, and whose data they process, along with the number of consumers whose information will be processed.
  • The disclosures made to consumers, and any other disclosures that the covered business plans to make, along with the names of service provides, contractors, or third parties to whom the information will be disclosed and the purpose for that disclosure.
  • The benefits, negative impacts, and safeguards of the planned processing.
  • Whether or not the business will initiate the processing subject to the risk assessment.
  • The individuals who provided information, as well as who the document was reviewed and approved by.
  If a covered business is using ADMT, the business must also identify:
  • The logic of the ADMT, including any assumptions or limitations of the logic; and
  • The output of the ADMT and how the covered business will use that output to make a significant decision.
The CPPA also clarifies that the risk assessment process may include involvement by external parties. Finally, a covered business must submit the following risk assessment information, among other things, to the Agency:
  • The business’s contact information, the information of the person submitting the assessment, and the date of certification.
  • The time period covered by the submission, and the number of risk assessments conducted or updated during that time.
  • Whether the risk assessments involved the processing of each of the categories of personal information identified in the CCPA.
  • A specific attestation, which certifies the business conducted a risk assessment for the processing activities involving significant decisions, subject to the penalty or perjury.
The individual submitting the information to the Agency must be a member of the covered business’s executive management team who is: 1) directly responsible for the business’s risk assessment compliance; 2) has sufficient knowledge to provide accurate information regarding the assessment; and 3) has the authority to submit the assessment information to the Agency. In addition, the Agency or Attorney General may require a covered business to submit its risk assessment reports at any time, within 30 days of the request. When Should Risk Assessments Be Conducted? According to the Proposed Rules, a covered business must conduct and document a risk assessment before beginning any processing activities that present a significant risk to consumers’ privacy. At least once every three years, the covered business must review and update their assessment. The covered business must also update a risk assessment whenever there is a material change relating to the processing activity, no later than 45 days from the material change. The covered business must retain its risk assessments – including original and updated versions – for as long as the processing continues or for five years after the completion of the risk assessment, whichever is later. What if I Have Already Conducted A Risk Assessment? There have been significant changes to the Draft Regulations regarding how covered businesses can use comparable assessments to satisfy the risk assessment criteria. New additions provide that a covered business may use a risk assessment that it has prepared for another purpose, provided that the assessment contains or is paired with all the required information to meet the Proposed Regulation’s requirements.

Cybersecurity Audits: Who, What, and When?

Among the added definitions is the “cybersecurity audit report” – the document that covered businesses must create as part of the cybersecurity audit. Similar to changes regarding risk assessments, this inclusion was part of the streamlining and clarification efforts of the CPPA. The scope and requirements of the cybersecurity audit – and the resulting audit report – have also been modified. Who Needs to Complete a Cybersecurity Audit? According to the Draft Regulations, every covered business whose processing of information presents a “significant risk” to consumers’ security must complete a security audit. While this language is similar to the requirements of the risk assessment, “significant risk” is defined slightly differently in the context of a cybersecurity audit. According to the Draft Regulations, a “significant risk” that warrants a cybersecurity audit includes but is not limited to covered businesses which:
  1. Derive 50% of more of its annual revenue from selling or sharing consumer’s personal information; or
  2. Had a gross annual revenue of $25M in the preceding calendar year (adjusted for inflation), and
    1. Processed the information of 250,000 or more consumers or households in the last year; or
    2. Processed the sensitive information of 50,000 or more consumers in the last year.
Covered businesses that are required to complete a cybersecurity audit must do so using a “qualified, objective, independent processional (‘auditor’) using procedures and standards accepted in the profession of auditing.” This audit may be internal or external to the covered business, but a qualified auditor must have knowledge of cybersecurity and know how to audit a business’s cybersecurity program, according to the changes in the Draft Regulations. What Should the Cybersecurity Audit Assess? Initially, the cybersecurity audit must assess how the covered business’s cybersecurity program protects personal information against unauthorized access, destruction, use, modification and disclosure, as well as how the program protects against unauthorized activity resulting in the loss of availability to that information. The cybersecurity audit must also assess the strength of a covered business’s cybersecurity program across such as, but not limited to:
  • Authentication and encryption;
  • Access control and account management;
  • Software and hardware inventories;
  • Patch and configuration management;
  • Network security, antivirus, and antimalware;
  • Incident response and business continuity;
  • Vendor oversight;
  • Data retention and disposal; and
  • Employee and contractor training.
The covered business’s auditor must also create a detailed cybersecurity audit report, documenting:
  • What was assessed and why. The report should describe the processes, activities, and components of the business’s cybersecurity program, the criteria used for the audit, along with the specific evidence examined to make decisions and assessments.
  • Evidence reviewed. The report must also include why these elements were appropriate for the audit, and how the evidence examined supports the findings.
  • Gaps or weaknesses found. The report should describe, in detail, the status of any gaps or weaknesses and any additional components that the auditor deemed to increase the risk of unauthorized activity. The report should also document the business’s plan to address these gaps and/or weaknesses.
  • Auditor information and certification. The report should also include the auditor’s information, as well as a statement by the highest-ranking auditor that certifies that they completed an independent review of the business’s cybersecurity program and information system, exercised objective and impartial judgement on all issues within the scope of the audit and did not rely primarily on assertations or attestations by business management to create the audit.
When Should Cybersecurity Audits Be Conducted? The final determination of when a covered business must conduct their first cybersecurity audit is based on the business’s annual gross revenue. If a business meets the audit thresholds, it may be time to start thinking about a compliance plan. First audit reports will be due:
  • April 1, 2028, for covered businesses with over $100 million in gross annual revenue;
  • April 1, 2029, for covered businesses with $50 million to $100 million in gross annual revenue; and
  • April 1, 2030, for covered businesses with under $50 million in revenue.
Each audit must cover the previous calendar year from January to January, with reports completed within the following three months. What if I Have Already Conducted A Cybersecurity Audit? As with the risk assessment, a covered business may use a cybersecurity audit, assessment, or evaluation that it has prepared for another purpose – provided that the audit meets all the requirements of the Draft Regulations, on its own or through supplemental information. The Draft Regulations provide, as an example, that a covered business may use the NIST Cybersecurity Framework 2.0 “and meets all the requirements of this Article.”

What Comes Next?

On July 24, 2025, the CPPA sent the rulemaking package to the Office of Administrative Law, which has 30 days to approve the regulations. The CPPA’s Draft Regulations signal a more measured approach to emerging technologies, such as AI. Still, these Draft Regulations carry out the CPPA’s mandate to issue regulations, reinforcing the agency’s commitment to privacy and security. For executives, the potential adoption of the Draft Regulations could be a strategic inflection point: Whether they are responsible for legal, compliance, data governance or information security, these Draft Regulations should prompt a reassessment of data practices, internal documentation and audit readiness. The publication of these Draft Regulations is also an opportunity to engage more deeply with operational teams. These rules will require clear cross-functional coordination, and organizations that begin building these bridges sooner will be better positioned to meet regulatory expectations and reinforce consumer trust in coming years. Compliance Deadlines: Compliance with these Draft Regulations will be required once they are approved by the Office of Administrative Law. The deadlines include:
  • ADMT Regulations: January 1, 2027
  • Privacy Risk Assessments: December 31, 2027
  • Cybersecurity Audits:
    • For businesses with $100+ million in annual gross revenue: April 1, 2028.
    • For businesses between $50 million and $100 million in annual gross revenue: April 1, 2029.
    • For businesses with less than $50 million in annual gross revenue: April 1, 2030.