On September 25, the California Privacy Protection Agency (CPPA) Board advanced OAL-approved updates to the California Consumer Privacy Act (CCPA), the process of which we covered in detail here and here, that include long-awaited regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The CPPA Board also approved a $1.35 Million settlement with Tractor Supply Company, officially announced this week. At last week’s meeting, staff reported that there were hundreds of investigations and enforcement actions in progress, many of which were at a stage that the applicable businesses were not yet aware that they are a target. 2026 will bring new privacy obligations for businesses and greater repercussions for half-baked compliance efforts.
So, California businesses, brace yourselves: the CCPA has undergone a major update at the same time the CPPA is turning up the heat on businesses. Following years of civic discussion, multiple hearings, and hundreds of public comments, the CPPA Board has adopted a batch of regulations impacting businesses’ data privacy obligations. On September 23, the California Office of Administrative Law (OAL) approved new regulations on cybersecurity audits, risk assessments, ADMT, and edits to existing CCPA regulations, which the CPPA Board confirmed last week. These regulations impose new obligations on businesses to comply with strengthened consumer privacy rights, some of which will phase in over time:
- Cybersecurity Audits
Businesses required to complete annual cybersecurity audits must submit certifications to the CPPA by:
- April 1, 2028, if the business makes over $100 million;
- April 1, 2029, if the business makes between $50 million and $100 million; or
- April 1, 2030, if the business makes less than $50 million.
- Risk Assessments
Businesses subject to risk assessment requirements must conduct assessments that meet the regulations’ exacting requirements prior to beginning any new processing activities on or after January 1, 2026, though they have until December 31, 2027, to do so for processing activities that began before January 1, 2027, but which thereafter are continuing. By April 1, 2028, they must submit to the CPPA:
- An attestation that required risk assessments were completed in compliance with the regulations, and
- A summary of their risk assessment information for 2026 and 2027 (and thereafter annually).
California now joins Colorado with very detailed obligations for how assessments must be conducted and documented, which unfortunately have material differences from the Colorado mandates.
- Automated Decisionmaking Technology (ADMT)
Businesses that use ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027. While the final regulations are far less burdensome than originally proposed, they bring new considerations and obligations and include material differences from other states.
- Substantive Changes Unrelated to Cybersecurity Audits, Risk Assessments, and ADMT go into effect Jan. 1, 2026.
The CPPA is also making it clear that existing regulations will be vigorously enforced. We have covered the evolution of CCPA enforcement here, here and here. The latest case addresses issues that have proven to be of particular concern to regulators: properly effectuating opt-out of sale/share for cookies and other tracking technologies that facilitate targeted advertising or are otherwise not qualifying as a service provider, enabling browser privacy control signals to automatically convey and implement such opt-outs, and having contracts in place with service providers, contractors and third parties that include CCPA-mandated contract provisions appropriate for the nature of the processing relationship. We have already delved into how to meet these requirements in detail here. Interestingly, Tractor Supply is the first published enforcement action that addresses CCPA compliance in the context of job applicants and current and former employees. California is the only state consumer privacy law that applies in the human resources and business-to-businesses contexts. The CPPA also brought claims for failing to update the posted privacy notice annually and not clarifying that the description of privacy practices in the notice reflected processing activities for the 12 months prior to the effective date. As businesses prepare for their year-end notice updates, they should assess overall compliance, with particular attention on the issues that have led to recent enforcement actions.
To help you prepare, we follow with a summary of the changes for businesses under the new and revised CCPA regulations:
CCPA Regulatory Updates – ADMT, Cybersecurity Audits, and Risk Assessments
Automated Decision-making Technology (ADMT)
Scope
The regulations define ADMT as “any technology that processes personal information and uses computation to replace… or substantially replace human decision making.” Section 7001(e). This includes a business’s use of the technology’s output to make a decision without meaningful human involvement, including through profiling. Section 7001(e)(1) and (2). Profiling is defined as any form of automated personal information (PI) processing to evaluate, analyze, or predict personal aspects concerning—among others—a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), interest, behavior, and location. Section 7001(ii).
The use of ADMT is regulated insofar as it is used to make a significant decision, defined as a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services. Section 7001(ddd).
Notably, the final regulations departed from prior efforts to regulate ADMT that was used to merely facilitate significant decisions, and the scope of significant decisions was significantly narrowed from what had been proposed. However, other states take a broader approach to both issues. Despite calls to track Colorado’s detailed regulations on profiling, California’s ADMT regulations are in some way more, and in other ways less, burdensome. Accordingly, companies will need to either take a high-water-mark approach, or address ADMT and profiling on a state-by-state basis.
Consumer Rights
Consumers will have the following rights with respect to ADMT:
- Right to opt out of ADMT: businesses must provide consumers with the ability to opt out of the use of ADMT to make a significant decision concerning the consumer. Section 7221. However, this right is limited as follows:
- If an appeal right is provided (see below); or
- For certain educational and human resources decisions, if the ADMT (i) works as intended and (ii) does not discriminate. Section 7221(b)(2) and (3)
- Right to access ADMT: upon request, businesses must provide the consumer information about the business’ use of ADMT, including information about the logic used and how the ADMT processed PI to generate an output with respect to them and what specific outputs were used, as well as information about the outcome of the decision and the role of human involvement in reaching the decision. Section 7222.
- Request to appeal ADMT: if the businesses provides consumers a process to appeal the business’ use of ADMT for a significant decision to a human reviewer, with authority to change the outcome, it may avoid providing the opt-out right. Section 7221(b)(1).
- A previously proposed notice of adverse decision requirement was abandoned and is not part of the current regulatory scheme.
Pre-Use Notice
Additionally, businesses using ADMT must provide consumers with a prominent and conspicuous Pre-Use Notice informing consumers about the specific purpose for the business’ use of ADMT, their rights to opt-out (if appeal rights are not provided and excepting the HR and educational uses exempt from opt-out) and access ADMT, and the prohibition on retaliating against consumers for exercising those rights. Sections 7010(d), 7220 and 7221. The Pre-Use Notice must also contain an opt-out link for ADMT use, if opt-out is required.
HR Context
As mentioned above, the use of ADMT to make a significant decision about a consumer includes employment or independent contracting opportunities or compensation, though certain exceptions to opt-out apply. These updates to the CCPA are one part of a larger effort to regulate the use of AI in the employment context, including regulations by the California Civil Rights Council (CCR) addressing employment discrimination resulting from the use of AI, effective October 1, 2025. These regulations expand the reach of existing law—such as the California Fair Employment and Housing Act (FEHA)—to cover AI employment tools, opening the door for plaintiffs seeking to allege harms from algorithmic discrimination. We analyzed the impact of these regulations on employers processing data for HR purposes and the interplay between the CCPA and CCR regulations in this report.
Cybersecurity Audits
To comply with the new cybersecurity regulations, businesses must: (1) conduct an annual cybersecurity audit; (2) submit an audit report; and (3) certify completion of the audit.
Audit
A business whose processing of consumers’ PI presents a significant risk to consumer (including HR and B-to-B) PI security is required to complete an annual audit of its cybersecurity program. Along with assessing a business’ cybersecurity program overall, the audit must assess specific components, including authentication, encryption of PI, account management and access controls, hardware and software security, vulnerability scans and, importantly, systems to inventory and maintain all PI and hardware and software that processes PI. This last requirement essentially mandates data mapping and management, following Minnesota’s approach.
Report
The audit must produce a report with certain information, such as a description of the business’s information system, audit criteria, evidence examined to make the assessments, and the policies, procedures, and practices assessed by the audit.
Certify
After completing the annual audit, businesses must submit a written certification of completion to the state no later than April 1 of the following year.
Risk Assessments
In addition to conducting a cybersecurity audit, a business whose processing of consumers’ PI presents a significant risk to consumers’ privacy is required to conduct a risk assessment before initiating that processing. Section 7150(a). This includes sale/sharing of PI, processing of sensitive PI, profiling, the use of ADMT for significant decisions concerning a consumer, and the use of PI to train ADMT or biometric data technology. Section 7150(b).
Businesses engaging in these activities must prepare and maintain a “risk assessment report” documenting much of the required assessment process. Significantly, the risk/benefit analysis that the regulations require be part of the assessment process need not be included in the published report, a welcome departure from the approach of other states. Certainly, this is an attempt to avoid First Amendment compelled speech challenges that brought down the California Age-Appropriate Design Act assessment requirements. The report must include the business’ purpose for processing consumers’ PI, categories of PI to be processed, the operational elements of the processing (including seven specific types of operational details, that for ADMT includes the logic used and the intended usage of outputs produced), safeguards to address potential negative impacts, the persons involved in the assessment, whether the activity will be initiated and who approved that determination and when. Section 7152. An aggregate summary of assessments for each calendar year, accompanied by a certification of completion, are to be filed annually with the CPPA. Section 7157(c).
Finally, businesses must review and update their risk assessments at least once every three years. Section 7155(a)(2). Reports, and updates, are to be retained for as long as the processing continues, or five years after completion, whichever is longer. Section 7155(c). The individual reports, and updates, are subject to inspection. Section 7157(e).
Other Substantive Changes to the CCPA Regulations
The CPPA also revised the existing regulations and made material changes, often revisiting issues it had originally considered in prior rulemaking but pulled back to give businesses time to adapt. Other changes reflect concerns regarding implementation and attempt to avoid ambiguity or more clearly establish consumer protection intent.
Symmetry of Choice
The new regulations refine consent requirements by illustrating asymmetry of choice in more detail, an issue that has been raised in enforcement actions. According to Section 7004(a)(2), a consumer’s path to a more privacy-protective option should not be longer, more difficult, or more time-consuming than the path to a less privacy-protective option. The regulations detail that the number of steps to opt-out of sale/sharing should be the same or fewer than the number of steps to opt-in. Similarly, a “yes” button that is more prominent than a “no” button—whether in size or color—is not an equal or symmetrical choice. Significantly, the regulations which had clarified that there would not be requisite symmetry if opting-in after having opted out required more steps, have been amended to apply such principle to an opt-in request in the first instance, not just where opt-out is being overridden. Section 7004(a)(2)(A). This reflects concerns regarding configuration of cookie banners that have been raised in enforcement actions.
Businesses must also abide by new design requirements to avoid consumer confusion about choice. For instance, the regulations prohibit businesses from using double negatives, misleading statements or omissions, or deceptive language when asking for consent. Businesses are also prohibited from obtaining consumer consent without affirmative action or by silence. Finally, businesses are prohibited from designing their choices in a way that impairs the consumer’s ability to provide freely given, specific, informed, and unambiguous consent. For instance, businesses cannot rely on a consumer’s acceptance of general or broad terms of use to constitute consent for a particular purpose. Section 7004(a)(4)(C).
Confirmation of Opt-Out Processing
Section 7026(g) will now require businesses to “provide a means by which the consumer can confirm that their request to opt out of sale/sharing has been processed by the business.” The regulations also now require the same with respect to honoring of opt-out preference signals. See Section 7025(g)(6). Previously, these were optional. The regulations provide that the same example notice can suffice to meet both requirements: “For example, the business may display on its website “Opt-Out Request Honored” … and display in the consumer’s privacy settings through a toggle or radio button that the consumer has opted out of the sale/sharing of their personal information.”
Timing of Processing Sale/Sharing Opt-Outs
Section 7026(f) requires businesses to cease selling and sharing PI with third parties “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” It also requires notifying all third parties to whom the business has sold or shared the consumer’s PI, after the consumer submits the request to opt-out of sale/sharing and before the business complies with that request, that the consumer has made a request to opt-out of sale/sharing (along with directing them to comply and forward the request downstream).
The regulations provide helpful examples interpreting these obligations, addressing advertising/marketing use cases – one involving “programmatic advertising technology” on a website that can “restrict the transfer of personal information instantaneously” where the regulations state taking 15 business days to comply would not be compliant – and another involving the disclosure of PI lists to a marketing company that addresses the timing and notification requirements.
Colors of the Opt-Out Icon
There was previously a lack of clarity regarding whether the blue and white opt-out icon could be changed according to a website’s branding or otherwise. The regulations now state, “Businesses may adjust the color of the icon to ensure that the icon is conspicuous. For example, if the webpage background is the same color of blue as the icon, the business may invert or change the colors of the icon to ensure visibility.” Section 7015(b)(3).
Privacy Policy Requirements
The amended regulations include several changes to the required accessibility and content of privacy policies.
First, mobile apps must now include a link to their privacy policy. Previously, it was optional to include a link to the “privacy policy” in the mobile application settings menu. It will now be required as of Jan. 1, 2026. The defined term “privacy policy” refers specifically to the CCPA’s required disclosures; as a result, companies should consider including a direct link to their CCPA or state-specific privacy notice in their app settings menu, if they have not already done so. Section 7011(d).
Second, businesses must comply with the following requirements regarding the content of their privacy policies:
- When identifying categories of sources and categories of third party (sale/sharing recipients), the regulations clarify that the categories “shall be described in a manner that provides consumers a meaningful understanding of” where the information is collected and the parties to whom the information is sold or shared, respectively. Section 7011(e)(1)(B) and (E).
- Previously, businesses were required to associate the specific business or commercial purpose for disclosing PI to service providers as to each category of PI collected. Businesses no longer need to associate the purposes with specific categories of PI. See Section 7011(e)(1)(I).
- Instead of referring to the right “not to receive discriminatory treatment,” businesses now must state that consumers have the right “not to be retaliated against for exercising privacy rights conferred by the CCPA, including when a consumer is an applicant to an educational program, a job applicant, a student, an employee, or an independent contractor.” Section 7011(e)(2)(H).
New Categories of Sensitive PI
The definition of “sensitive personal information” has been expanded to PI of consumers that the business has actual knowledge are less than 16 years of age. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This means that the processing of PI of consumers less than 16 years of age is subject to the right to limit. For sale/sharing of such data, however, consent of the consumer is required.
Additionally, “sensitive personal information” now includes a consumer’s neural data, or information generated by measuring the activity of a consumer’s central or peripheral nervous system.
Updated Notice of Right to Limit
The Notice of Right to Limit requirements have been updated largely to align with the Notice of Right to Opt-Out (e.g., how to present the notice when interacting with consumers online vs. offline). Section 7014(e)(3).
Expansion of Access Rights Trailing Period
Under Section 7024(h), businesses are only required to “provide all the personal information it has collected and maintains about the consumer during the 12-month period preceding the business’s receipt of the consumer’s request.” However, reflecting CPRA changes, a consumer may request PI from beyond such period, as long as it was collected on or after January 1, 2022. The prior regulations did not require notifying consumers of that right.
Businesses now must “include a means by which the consumer can request that the business provide personal information collected prior to the 12-month period preceding the business’s receipt of the consumer’s request. For example, the business may ask the consumer to select or input the date range for which the consumer is making the request to know or present the consumer with an option to request all personal information the business has collected about the consumer.” Section 7020(e).
Authorized Agent Requirements
The regulations now explicitly prohibit, in connection with obtaining proof that the consumer gave the agent signed permission, businesses from requiring consumers to resubmit their request in their individual capacity. Section 7063(a).
Conduct Year-end Updates and Compliance Checks and Develop 2026 Project Plans and Budgets
Prior to year-end, business should (1) confirm PI practices and update their privacy notices to reflect practices from the prior 12 months; (2) update policies and procedures, especially regarding consumer choice, to reflect amendments to the regulations and issues raised in enforcement actions; (3) become prepared to implement a data processing risk assessment program that meets the new regulations’ requirements for new 2026 processing activities before they are initiated, and develop a roadmap for assessing ongoing processing prior to December 31, 2027; and (4) develop a project and plan to prepare for the upcoming ADMT and cybersecurity audit (including data mapping) requirements. To help you do so, we have developed guidance materials, including a data processing risk assessment tool kit. More information is available here, or by contact the authors of your Squire Patton Boggs relationship partner.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.