This month, the California Privacy Protection Agency (CPPA) Board discussed updates to the California Consumer Privacy Act (CCPA) draft regulations related to cybersecurity audits, risk assessments, automatic decision-making technology (ADMT), and insurance.
The CPPA received comments on the first draft of the regulations between November 22, 2024, and February 19, 2025, and the feedback was provided at last month’s board meeting.
Based on the discussions at last month’s meeting, the CPPA made further revisions to the draft, which include the following:
- Definition of ADMT: ADMT will no longer include technology that ONLY executes a decision or substantially facilitates human decision-making; the definition will only include technology that REPLACES or substantially replaces human decision-making.
- Definition of Significant Decision: Risk assessments and ADMT obligations are triggered by certain data processing activities that lead to “significant decisions” that affect a consumer; the updated draft no longer includes decisions that determine “access” to certain services as triggering events. However, financial or lending, housing, education, employment, and independent contracting services constitute services that implicate whether a significant decision is being made about a consumer; insurance, criminal justice services and essential goods and services were removed from the list of services in the latest draft.
- First-Party Advertising: Under the updated draft, companies are not required to conduct risk assessments or comply with the ADMT obligations simply because they profile consumers for behavioral advertising (i.e., first-party advertising does not trigger these requirements under the new draft).
- ADMT Training and Personal Information: Companies will only be required to conduct a risk assessment if they process personal information to train ADMT for specific purposes.
- Sensitive Location Profiling: Companies will not be required to conduct a risk assessment simply because they profile consumers through systematic observation in publicly accessible spaces; they will only have to adhere to the risk assessment requirement if the company profiles a consumer based on the individual’s presence in a “sensitive location” (i.e., healthcare facilities, pharmacies, domestic violence shelters, food pantries, housing or emergency shelters, educational institutions, political party offices, legal services offices, and places of worship).
- Artificial Intelligence: The updated draft does not refer to “artificial intelligence” (AI) and AI terminology has been removed. However, AI systems would fall under the definition of ADMT and be subject to the other requirements under the updated regulations.
- Cybersecurity Audits: If a company meets the risk threshold, the first cybersecurity audit must be completed as follows:
- April 1, 2028, if the business’s annual gross revenue for 2026 is more than $100 million.
- April 1, 2029, if the business’s annual gross revenue for 2027 is at least $50 million but no more than $100 million.
- April 1, 2030, if the business’s annual gross revenue for 2028 is less than $50 million.
Thereafter, if a company meets the risk thresholds under the law, it must conduct a cybersecurity audit annually, irrespective of gross annual revenue.
- Submission of Risk Assessments: Under the updated draft, companies no longer have to submit their risk assessments to the CPPA; alternatively, the company must provide an attestation and a point of contact for the company. Such documentation is due to the CPPA by April 1, 2028, for risk assessments completed in 2026 and 2027; after 2027, the documentation must be submitted by April 1 of the year following any year the risk assessment was conducted.
So, what’s next?
- The CPPA initiated another public comment period, ending on June 2, 2025.
- The CPPA MUST finalize the draft regulations by November 25, 2025:
- If the CPPA files the final regulations by August 31, 2025, then the updates will take effect on October 1, 2025;
- If the CPPA files the final regulations AFTER August 31, 2025, then the updates will take effect on January 1, 2026.
We will continue to monitor the CPPA’s actions and the road to the final regulations.