On July 24, 2025, the California Privacy Protection Agency (CPPA) voted unanimously to finalize the draft regulations for automated decision-making technology (ADMT), privacy risk assessments, and cybersecurity audits under the CCPA (as amended by the CPRA). The regulations now go to the California Office of Administrative Law for final approval and (if approved) publication into the California Code of Regulations.
The final regulations come after a year of drafting and feedback from the public and even Governor Gavin Newsom.
Some of the key changes to the regulations from previous drafts include:
- Removal of references to "Artificial Intelligence" and behavioral advertising with respect to ADMT and a relaxation of when ADMT may be used and the rights for consumers to opt-out of the use of ADMT.
- Risk assessments when the processing may result in a risk to consumer's privacy. Some of the enumerated processing activities that could fall into this category are for selling/sharing of personal information, processing sensitive personal information, using ADMT for "significant decisions" concerning a consumer, and certain uses of ADMT technologies. Notably, the risk assessments also contain a requirement for data mapping, which has long been promoted in privacy circles even without statutory requirements.
But this may not be the final chapter in the CCPA regulations. The CPPA indicated that the regulations may be revised again (which may be stricter or more relaxed) based on how the regulations actually work out.
Furthermore, the regulations attempt to limit the threat of the use of ADMT to consumers, which contradicts the Trump Administration's stated goal of limiting "burdensome" AI regulation in favor of potential economic benefits, as stated in the administration's recently-published "America's AI Action Plan." This may set up a fight between the current administration and California regulators. And, in any event, businesses that are subject to the CCPA may also be subject to other state, federal, and international laws, which may require more significant obligations to businesses developing and using ADMT than what has been approved in these regulations.
The effective date of the regulations vary, with some going into effect as early as January 1, 2026, and other sections taking effect over a year from now. For example, for processing activities occurring after the effective date (to be determined by OAL), the first risk assessment is not due until December 31, 2027 (over 2 years from now), and businesses that use ADMT do not need to comply with the ADMT requirements until January 1, 2027. Nevertheless, some of the requirements may require some significant resources, and we recommend that businesses start on their compliance efforts sooner rather than later.
The California Privacy Protection Agency Board voted unanimously 24 July to finalize rules governing the use of automated decision-making technology, risk assessments, cybersecurity audits and insurance under the California Consumer Privacy Act. The board voted 5-0 on the regulations package following more than a year of drafting and debate during the pre-rulemaking and formal rulemaking phases.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
