Skip to content

Menu

Network by SubjectChannelsBlogsHomeAboutContact
AI Legal Journal logo
Subscribe
Search
Close
PublishersBlogsNetwork by SubjectChannels
Subscribe

New CCPA Rules Are Here: Is Your Business Ready for What’s Next?

By Alicia A. Baiardo, Payam Khodadadi & Nathanael Williams on October 8, 2025
Email this postTweet this postLike this postShare this post on LinkedIn

In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations.  These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.

The updates arrive alongside a signal of the agency’s intensifying enforcement stance.  CPPA staff revealed that hundreds of active investigations are already underway—many involving businesses that have yet to realize they’re under scrutiny.

As 2026 approaches, businesses must prepare for more stringent privacy obligations and heightened enforcement risk.  The message from regulators is clear: compliance must be robust, proactive, and thoroughly documented.  These new rules—years in the making and shaped by extensive public engagement—are not just another layer of red tape.

The following is a short summary of the new and revised regulations. 

New Obligations

Automated Decision-Making Technology (ADMT)

The ADMT regulations govern the use of AI or algorithms in decisions that significantly impact consumers in:

  1. Financial services
  2. Housing
  3. Education
  4. Employment
  5. Healthcare

Consumers will have certain rights (subject to exceptions) regarding use of ADMT.  The rights include: 

  1. The right to opt-out of ADMT for significant decisions
  2. The right to access information about ADMT logic, personal information processed, outcomes, and human involvement.

Appeal process can replace the opt-out requirement.

Businesses must issue a pre-use notice disclosing ADMT use and consumer rights.

Effective January 1, 2027

Risk Assessments

Risk assessments are required where a business processes consumers’ personal information that presents “significant risk” to consumers’ privacy.  “Significant risk” exists if the business is:

  1. Selling or sharing personal information
  2. Processing sensitive personal information
  3. Using ADMT for a significant decision
  4. Using automated processing for infer characteristics

The business must include detailed documentation, purpose, safeguards, logic of processing, and approval records.

  1. For risk assessments conducted in 2026 and 2027, the business must submit the risk assessment no later than April 1, 2028.
  2. For risk assessments conducted after 2027, the business must submit the risk assessment no later than April 1 the following year.

Reports must be updated every 3 years and retained for at least 5 years.

Cybersecurity Audits

Businesses are required to complete annual cybersecurity audits if the processing of personal information presents a “significant risk” to the consumers.  Significant risk exists where:

  1. The business derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information; or
  2. The business is subject to the CCPA; and
    1. Processed personal information of 250,000 or more consumers in the preceding calendar year; or
    2. Processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year.

The cybersecurity audit requirements include the following:

  1. The business must assess its cybersecurity program, including policies and procedures.
    1. The regulations enumerate 18 components that must be assessed.
  2. The business must produce a cybersecurity audit regarding the assessment.
    1. Audit can be internal of external
    2. However, for internal audit, there are additional requirements to report directly to a member of the business’s executive management team who does not have direct responsibility for the business’s cybersecurity program.

The business must submit certifications to the CPPA by:

  1. April 1, 2028, if the business makes over $100 million;
  2. April 1, 2029, if the business makes between $50 million and $100 million; or
  3. April 1, 2030, if the business makes less than $50 million.

Changes to Existing Obligations

  1. Businesses must confirm to consumers that their opt-out requests (including browser signals) were honored.
  2. New requirements for privacy policies, effective Jan 1, 2026 include the following:
    1. Mobile apps must include a privacy policy link.
    2. Sensitive personal information now includes minors’ data and neural data.
    3. Must explicitly state the consumers’ right to non-retaliation for exercising privacy rights.
    4. Disclosures regarding ADMT rights.
  3. Extended Access Rights
    1. Consumers can request personal information collected since January 1, 2022, not just from the past 12 months.

Next Steps

Given the enforcement actions by the CPPA and these new stringent requirements, business should allocate in their 2026 budget sufficient funds and project resources for compliance with these requirements.

Photo of Alicia A. Baiardo Alicia A. Baiardo

Ali has more than a decade of experience handling complex commercial cases and financial services litigation. She represents clients ranging from individuals to manufacturers, financial services providers, and large financial institutions. She successfully advocates for her clients at all stages of litigation, depending…

Ali has more than a decade of experience handling complex commercial cases and financial services litigation. She represents clients ranging from individuals to manufacturers, financial services providers, and large financial institutions. She successfully advocates for her clients at all stages of litigation, depending on their goals, by obtaining awards, dismissals and beneficial settlements.

Read more about Alicia A. Baiardo
Show more Show less
Photo of Payam Khodadadi Payam Khodadadi

Payam practices in the areas of bankruptcy, insolvency, complex commercial litigation and privacy. While attending Loyola Law School, he earned the Highest Grade Awards in Bankruptcy and Commercial Law, and externed for the Honorable Thomas B. Donovan, United States Bankruptcy Judge.

MORE INFO
Read more about Payam Khodadadi
Photo of Nathanael Williams Nathanael Williams

Nate’s practice focuses on providing pragmatic, strategic, and business-minded privacy and data security counseling. Nate advises clients on compliance with state and federal privacy laws and regulations, emerging technology risks, preparing for and responding to data breaches, and privacy, data security, and technology-related…

Nate’s practice focuses on providing pragmatic, strategic, and business-minded privacy and data security counseling. Nate advises clients on compliance with state and federal privacy laws and regulations, emerging technology risks, preparing for and responding to data breaches, and privacy, data security, and technology-related risks in business mergers and acquisitions, as well as licensing, outsourcing, and commercial transactions.

Read more about Nathanael Williams
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Password Protected
  • Organization:
    McGuireWoods LLP
  • Article: View Original Source
LexBlog logo
Copyright © 2026, LexBlog. All Rights Reserved.
Legal content Portal by LexBlog LexBlog Logo