The California Privacy Protection Agency recently approved new regulations under the California Consumer Privacy Act (“CCPA”) that introduce significant requirements for businesses regarding automated decisionmaking technology (“ADMT”), risk assessments, and cybersecurity audits. These regulations define ADMT to include “any technology that processes personal information to replace or substantially replace human decision-making,” with specific inclusion of profiling activities. Businesses must now provide consumers with notice and the right to opt out of ADMT processing, as well as new rights to access information about ADMT and appeal decisions made by such technology.
Additionally, the regulations establish detailed requirements for risk assessments and cybersecurity audits. By December 31, 2027, businesses must complete risk assessments for certain types of personal information processing, such as using ADMT for significant decisions, training ADMT, profiling, processing sensitive information, or selling or sharing personal information. Businesses must submit annual risk assessment reports to the California Privacy Protection Agency starting in April 2028.
Cybersecurity audits are mandated for businesses that:
(1) derive at least half of its revenue from selling or sharing personal information; or
(2) meet the CCPA revenue threshold and either (a) processed the personal information of 250,000 California consumers in the previous calendar year, or (b) processed the sensitive personal information of at least 50,000 California consumers in the previous calendar year.
Businesses meeting these thresholds are required to complete their first audits between 2028 and 2030 depending on company size. These audits must be conducted by qualified, independent professionals and address the effectiveness of cybersecurity programs, identify gaps, and document remediation efforts.
Next Steps
If your business needs to comply with the CCPA, we recommend:
- understanding how the business uses or would like to use ADMT, and how that use may trigger additional obligations outlined in the new rules;
- identifying any processing that requires the business to complete risk assessment requirement, and
- determining if the business meets the any of the applicability thresholds for the cybersecurity audit requirement. If the business will need to complete a cybersecurity audit, we recommend taking steps now to improve your security posture and identify qualified auditors.
/Passle/5f6edd8e8cb62a0bec3e5fd2/SearchServiceImages/2024-05-24-03-21-30-125-665007ba070490f8c71251ef.jpg)
/Passle/5f6edd8e8cb62a0bec3e5fd2/MediaLibrary/Images/2025-08-20-16-32-31-168-68a5f89fc21a05ca90152b91.png)
/Passle/5f6edd8e8cb62a0bec3e5fd2/SearchServiceImages/2025-08-20-12-52-38-082-68a5c516c21a05ca9014941a.jpg)
/Passle/5f6edd8e8cb62a0bec3e5fd2/SearchServiceImages/2025-08-13-12-47-18-388-689c8956495e610c617e147f.jpg)