CPPA Approves Regulations on Automated Decisionmaking Technology, Risk Assessments, Cybersecurity Audits and More
What These Changes Mean for Business
At a Glance
- Overall, the definition of automated decisionmaking technology (ADMT) was substantially simplified in the CPPA’s revisions to its proposed regulations in May 2025, following broad criticism of the previous draft, and will now cover a narrower range of activities than initially proposed.
- Any company that uses ADMT to make a “significant decision” concerning a consumer will need to conduct a risk assessment prior to engaging in the activity The regulations also now require businesses to conduct risk assessments prior to engaging in processing activities that present a “significant risk to consumers’ privacy.”
- The regulations now specifically clarify that insurance companies “that meet the definition of ‘business’ under the CCPA shall comply with the CCPA with regard to any personal information not subject to the Insurance Code and its regulations.”
At the end of July 2025, the California Privacy Protection Agency (CPPA) Board voted 5–0 to approve its long-awaited proposed California Consumer Privacy Act (CCPA) regulations addressing cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT) and applicability of the CCPA to insurance companies. The regulatory package also includes some updates to the main body of the pre-existing CCPA regulations. First formally proposed in November 2024, these regulations underwent a robust public comment period through the winter and faced substantial revisions in spring 2025. The Board will now submit the regulations to the California Office of Administrative Law for final review.
Below, we dig into some of the key aspects of these updates, in particular, the regulations:
Relatively Narrowly Define “ADMT”
Article 11 of the CCPA regulations now regulates businesses’ use of “ADMT to make a significant decision concerning a consumer.” See 11 C.C.R. § 7200(a). In 11 C.C.R. § 7001(e), “ADMT” is defined as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.”
“Substantially replace human decisionmaking” is defined, in turn, to mean that a business “uses the technology’s output to make a decision without human involvement,” where “[h]uman involvement requires the human reviewer to: (A) Know how to interpret and use the technology’s output to make the decision; (B) Review and analyze the output of the technology, and any other information that is relevant to make or change the decision; and (C) Have the authority to make or change the decision based on [that] analysis . . .”
Overall, the definition of ADMT was substantially simplified in the CPPA’s revisions to its proposed regulations in May 2025, following broad criticism of the previous draft, and will now cover a narrower range of activities than initially proposed.
Create Obligations for Businesses Using ADMT for Significant Consumer Decisions
Any company that uses ADMT to make a “significant decision” concerning a consumer will need to: (1) conduct a risk assessment prior to engaging in the activity; (2) provide an ADMT pre-use notice to the consumer; (3) grant the consumer the ability to opt-out of such use of ADMT; and (4) grant the consumer the ability to access ADMT, including by providing information, in response to a consumer request, regarding the purpose for use of ADMT, the logic of the ADMT, the outcome of the decisionmaking process for the consumer, and information about nondiscrimination and exercise of additional CCPA rights.
A “significant decision” in this context means any decision resulting in the provision or denial of financial/lending services; housing; education enrollment or opportunities; employment/independent contracting opportunities or compensation; or health care services. See 11 C.C.R. 7001(ddd). Businesses that use ADMT for significant decisions must comply with the ADMT regulations by January 1, 2027. For further details, please see 11 C.C.R. §§ 7150, 7200–22.
Mandate Annual Cybersecurity Audits for Certain Businesses
Article 9 of the CCPA regulations now requires businesses to conduct annual, independent cybersecurity audits if their processing of consumer personal information presents “significant risk” to consumers’ security. Under the regulations, “[a] business’s processing of consumers’ personal information presents significant risk to consumers’ security if”: (1) the business derived, in the preceding calendar year, 50% or more of its annual revenue from selling/sharing personal information; or (2) the business had annual gross revenues, in the preceding calendar year, in excess of $26.625 million and either (a) processed, in the preceding calendar year, personal information of 250,000+ California consumers’/households’ or (b) processed, in the preceding calendar year, 50,000+ California consumers’ sensitive personal information.
This broad definition of “significant risk” will require many companies to comply with the regulations’ new annual cybersecurity audit requirement. Audits most be completed by April 1 of each year, with staggered effective dates ranging from 2028 through 2030 depending on companies’ annual gross revenues. For example, companies with annual gross revenues of more than $100 million in 2026 will be required to conduct cybersecurity audits under the regulations by April 1, 2028, covering the period from January 1, 2027, to January 1, 2028.
Moreover, by April 1 of each year, businesses that are required to complete cybersecurity audits must submit to the CPPA a certification of completion of their cybersecurity audit, which must be completed by a member of the business’s executive management team and contain the details required by 11 C.C.R. § 7124(d).
Require Risk Assessments Prior to Engaging in Activities Posing Significant Risk to Consumer Privacy
The regulations also now require businesses to conduct risk assessments prior to engaging in processing activities that present a “significant risk to consumers’ privacy.” See generally 11 C.C.R. §§ 7150–57. Activities that present a “significant risk to consumers’ privacy” include: (1) selling/sharing personal information; (2) processing sensitive personal information (except for narrow employee exemptions); (3) using ADMT for a significant decision concerning a consumer; (4) using automated processing to infer/extrapolate certain characteristics about a consumer from systemic observation of that consumer when the consumer is acting in an educational, applicant or employment-related context; (5) using automated processing to infer/extrapolate certain characteristics about a consumer from systemic observation of that consumer based on the consumer’s presence in a sensitive location; or (6) processing personal information that the business intends to use to train ADMT for significant decisionmaking.
Although these categories are more limited than they were in the CPPA’s initial draft of the risk assessment regulations, they do still cover a broad range of personal information processing activities. The regulations articulate various content requirements for risk assessments, see generally 11 C.C.R. § 7152; require that businesses review and update their risk assessments at least once every three years, id. § 7155(a)(2); permit use of a single risk assessment for a comparable set of processing activities, id. § 7156(a); and require businesses to submit certain high-level information about their preparation of risk assessments by April 1 of each year.
For risk assessments conducted in 2026 and 2027, that information must be submitted to the CPPA by April 1, 2028. For risk assessments conducted after 2027, that information must be submitted to the CPPA by no later than April 1 following any year during which the business conducted the risk assessments.
Clarify the CCPA’s Applicability to Insurance Companies
The regulations now specifically clarify that insurance companies “that meet the definition of ‘business’ under the CCPA shall comply with the CCPA with regard to any personal information not subject to the Insurance Code and its regulations. For example, those insurance companies shall comply with the CCPA for personal information that is collected for purposes not in connection with an insurance transaction, as that term is defined in Insurance Code, section 791.02.” See 11 C.C.R. § 7271(a). Article 12 of the regulations also includes three illustrative examples that further explain how the CCPA applies to insurance companies.
Other Amendments
The amended regulations also make some edits to the main body of the existing regulations, including provisions regarding dark patterns; some tailored updates to privacy policy, notice at collection and notice of right to limit requirements; clarifications regarding data subject rights and opt-out preference signals; updates to service provider contract requirements; and more.
For reference, the most recent copy of the amended regulations can be found here.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.