Privacy, Cyber & Data Strategy Advisory | California Expands the Impact of the CCPA with Sweeping New Rules on Cybersecurity Audits, Automated Decisionmaking Technologies, and Privacy Risk Assessments

The California Privacy Protection Agency (CPPA) has significantly expanded the reach of the California Consumer Privacy Act (CCPA) through new and amended regulations that impose: 

• New standards for automated decisionmaking technologies (ADMT), including certain artificial intelligence (AI) tools.
• Comprehensive cybersecurity audit requirements for businesses.
• Detailed privacy risk assessments for high-risk processing activities.

The regulations also update existing provisions, including governing opt-out preference signals and service provider obligations. The CPPA announced the California Office of Administrative Law’s approval of the new and amended regulations on September 23, 2025. The regulations take effect January 1, 2026, with phased-in deadlines through 2030.

Automated Decisionmaking Technology: January 1, 2027 Compliance Deadline

Businesses that use ADMT to make significant decisions concerning California residents (defined under the CCPA as “consumers,” including employees, contractors, and applicants¹) must comply with new requirements to provide notice of ADMT use and offer consumers the right to access and opt out of ADMT. The regulations set a compliance deadline of January 1, 2027, after which enforcement is expected to begin.

Applicability

The regulations define ADMT as “any technology that processes personal information and uses computation to replace or substantially replace human decisionmaking.”² A technology “substantially replaces human decisionmaking” if its outputs are used without meaningful human involvement, meaning an individual must be able to interpret, analyze, and change the decision based on that output.³ A significant decision is a “decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services."⁴

Pre-use notice to consumers 

Before using ADMT for significant decisions, businesses must provide a prominent and conspicuous notice to consumers explaining: 

• The specific purpose(s) for which the business plans to use the ADMT.
• How consumers can opt out.
• The categories of personal information that affect outputs.
• The types of outputs generated.
• How outputs are used to make significant decisions.
• An alternative process for making decisions if the consumer opts out.⁵

Businesses do not need to disclose trade secrets or any information that would compromise the business’s ability to prevent, detect, or investigate security incidents, protect against malicious or illegal actions, or ensure physical safety.⁶

Right to opt out

Consumers must be allowed to opt out of the use of ADMT to make significant decisions unless the business provides an appeal process to a human reviewer who can overturn the decision. Certain notable exceptions apply. For example, businesses can avoid offering an opt out for admission, acceptance, or hiring decisions if the business uses the ADMT solely for assessment of the individual’s ability to perform in the role and does not unlawfully discriminate based on protected characteristics. The same exception applies to allocation/assignment of work and compensation decisions.⁷

The opt-out requirements may be onerous. For example, if a consumer submits an opt-out request after the business has initiated the processing, the business must cease use of that personal information within 15 days, notify all third parties to whom the information was disclosed, and instruct them to comply with the request within 15 days.⁸

Transparency requirements

Upon request, businesses must disclose to consumers, among other information:

• The specific purpose(s) for which the business used the ADMT
• The logic of the ADMT and how it generates outputs.
• The outcome of the decision-making process.
• Any plans to use those outputs for future significant decisions.⁹

This new “algorithmic transparency” standard makes it important for businesses to document sufficient technical information about the operation of the ADMT before first use and ensure that vendors supplying ADMT meet these obligations. As with the pre-use notices, businesses are not required to disclose trade secrets or any information that would compromise security or safety.¹⁰

Cybersecurity Audits: Phased Implementation Deadlines Beginning April 1, 2028

The regulations require certain businesses to conduct annual cybersecurity audits to evaluate the effectiveness of their cybersecurity program—defined as the policies, procedures, and practices that protect personal information from unauthorized access, destruction, use, modification, or disclosure, and guard against unauthorized activity resulting in the loss of availability of personal information.¹¹

Applicability

The cybersecurity audit requirement applies to businesses whose processing of consumers’ personal information presents a significant risk to consumers’ security. This threshold is met if a business:

• Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information; or
• Has an annual gross revenue of $25 million or more (adjusted for inflation) and, in the preceding calendar year, processed either:
  • Personal information of 250,000 or more consumers/households, or
  • Sensitive personal information of 50,000 or more consumers.¹²

Phased implementation / timeline

The audit requirement will be phased in based on annual gross revenue:

After April 1, 2030, any business that meets the audit criteria for the previous year must complete a cybersecurity audit for the next 12 months and submit the report by April 1 of the next year.¹³

Scope of cybersecurity audit

The audit must focus on specific “information systems,” including hardware, software, network appliances, and other resources—whether owned by a business or its third-party vendor—that are “organized for the processing of personal information or that can provide access to personal information.”¹⁴ The regulations outline 18 categories of security controls (listed below) the auditor must assess, if applicable:¹⁵

1. Authentication – including phishing-resistant multi-factor authentication and strong, unique passwords or passphrases, with a minimum length of eight characters, not a commonly used password, and not reused.
2. Encryption – including encrypting personal information at rest and in transit.
3. Account management and access controls – access to personal information is limited to only those who need it (least privilege), privileged accounts are tightly controlled, and access is monitored.
4. Inventory and management of personal information and information systems – maintain up-to-date lists of where personal information is stored and processed, keep inventories of hardware and software, and have approval processes for adding new systems.
5. Secure configuration of hardware and software – keep systems updated, secure both on-premises and cloud environments, mask sensitive data where appropriate, manage security patches, and use change management procedures.
6. Vulnerability scans and penetration testing – regularly run internal and external scans for vulnerabilities, conduct penetration testing, and have a way for people to report security issues (like a bug bounty or disclosure program).
7. Audit-log management – including centralized storage (e.g., a security information and event management (SIEM) tool), retention, and monitoring of logs for suspicious behavior.
8. Network monitoring and defenses – deploy tools such as bot detection, intrusion detection and prevention, and data-loss prevention to monitor and protect the network.
9. Antivirus and antimalware protections – implement and maintain up-to-date antivirus and antimalware software on endpoints to aid in the detection, prevention, and remediation of malicious software.
10. Segmentation of information systems – separate networks and systems using firewalls, routers, and switches, which can, in part, mitigate the spread of a potential unauthorized actor.
11. Limitation and control of ports, services, and protocols – disable or restrict unnecessary ports, services, and network protocols to reduce the attack surface and prevent unauthorized access.
12. Cybersecurity awareness – stay informed about evolving cybersecurity threat landscape.
13. Cybersecurity education and training – provide regular training for everyone, including employees, independent contractors, and other personnel who access the business’s information systems. The regulations suggest training should be provided at the time of onboarding, annually, and after any security incident.
14. Secure development and coding best practices – including conducting code reviews and testing for vulnerabilities.
15. Oversight of service providers, contractors, and third parties – ensure that vendors and partners follow security requirements and comply with the regulations.
16. Retention schedules and proper disposal of personal information – maintain procedures for securely destroying personal information, such as by shredding, erasing, or making it unreadable or undecipherable, when it is no longer needed.
17. Incident response management – have a documented plan for responding to security incidents, test the plan, and include steps for recovery. Notably, the regulations define “security incident” much more broadly than the “breach of security of the system” definition in California’s data breach notification statute.¹⁶ While a “breach of security of the system” is limited to the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information, the regulations define “security incident” to include any occurrence that actually or imminently jeopardizes the confidentiality, integrity, or availability (not “security”) of information.” In addition, a “security incident” also covers any violation or imminent threat of violation of the business’s cybersecurity program, even if no data has been acquired or compromised.¹⁷ This means the CCPA audit standard is triggered by a much wider range of events, including attempted attacks, system outages, and policy violations, not just successful data breaches.
18. Business continuity and disaster recovery plans – maintain backups and plans for continuing operations and recovering data as it may be necessary.

The Regulations incorporate a degree of flexibility by requiring the auditor to assess whether the business’s cybersecurity program—including its policies and procedures—is tailored to the business’s particular characteristics, such as its size, complexity, the nature and extent of its personal information processing activities, and the feasibility and cost of implementing specific security measures.¹⁸

The auditor must also certify that the audit did not rely primarily on assertions or attestations by the business’s management, but instead was based on an actual review of the cybersecurity program and supporting evidence—meaning the audit cannot simply be interview-based or rely on management’s word alone.¹⁹ Because these eighteen controls are specifically identified in the regulations, they may become a practical benchmark for regulators and potential plaintiffs in evaluating a business’s cybersecurity program. 

Auditor requirement

The audit must be conducted by a qualified, objective, independent professional using procedures and standards accepted in the auditing profession (e.g., AICPA, PCAOB, ISACA, ISO). The auditor may be internal or external but must have cybersecurity expertise, exercise impartial judgment, and avoid conflicts of interest. Internal auditors must report to executive management with no direct responsibility for cybersecurity.²⁰

Cybersecurity audit report

The report must describe the business’s information system, the policies and practices reviewed, the criteria and evidence used, and the findings. The report should identify which security controls were assessed, note any gaps or weaknesses (and remediation plans), and include corrections to prior reports. The report must also list up to three individuals responsible for cybersecurity, identify the auditor’s credentials, and include a signed certification of independent review. If there were notifications to California consumers or the Attorney General under the data breach notification statute, copies or descriptions must be included. The report must be provided to executive management responsible for cybersecurity and retained, along with supporting documents, for five years.²¹

Because audit reports may be subject to regulatory review or discovery, businesses may consider a multi-phase or dual-track approach—first conducting an internal audit under attorney-client privilege to identify and remediate any significant gaps, then completing the formal CCPA audit after those gaps have been addressed. This strategy may help avoid having an unfavorable audit become part of the public or regulatory record.

Certification

Each year a business completes a cybersecurity audit, it must submit a written certification signed by a member of executive management with direct audit oversight and authority to certify compliance.²²

Risk Assessments: First Attestation Due April 1, 2028

Applicability

The new regulations require businesses to complete privacy risk assessments to evaluate processing activities that may pose a significant risk to consumer privacy. Businesses must complete these assessments before engaging in the following processing activities:²³

• Selling or sharing personal information.
• Processing sensitive personal information.
• Profiling based on systematic observation of consumers acting in their capacity as applicants, employees, students, or independent contractors, or based on presence in sensitive locations (e.g., health care facilities, shelters, educational institutions, political party and legal services offices, and places of worship).
• Using ADMT for significant decisions concerning consumers.
• Processing personal information with intent to train ADMT for significant decisions.²⁴
• Training a facial-recognition, emotional-recognition, or other technology that verifies a consumer’s identity, or conducts physical or biological identification or profiling of a consumer.

Content

The risk assessments must identify and document, among other information:²⁵

• The categories of personal information (including sensitive) to be processed and the specific purpose(s) for which that information will be processed.
• The benefits of the processing to the business, consumers, stakeholders, or the public.
• The potential negative impacts to consumers’ privacy and the safeguards put in place to address those negative impacts.
• The planned methods of processing and the sources of information.
• The retention periods (or at least the criteria for determining the periods).

If ADMT is involved, the report must also include the logic of the ADMT, the outputs generated, and how those outputs will be used to make significant decisions.²⁶

Personnel and retention

Businesses must include personnel who will be involved in the processing activity and who will provide the information in the risk assessment process. The report must also include the individuals who reviewed and approved the assessment. One of these individuals must have authority to participate in deciding whether to initiate the processing.²⁷

Businesses must retain each risk assessment, including original and updated versions, for as long as the processing continues, or for five years after the completion of the assessment, whichever is later.²⁸

Submission and timing

Businesses must submit an annual attestation to the CPPA under penalty of perjury²⁹ that all required risk assessments for the preceding calendar year have been completed. Each annual attestation must contain, among other information:

• Time period covered and certification date.
• The number of risk assessments conducted or updated during the period.
• The categories of personal and sensitive information covered.³⁰

Businesses must submit the required annual attestations by April 1 for applicable data processing activities during the prior calendar year. The first annual attestation is due April 1, 2028 and must include risk assessments conducted in 2026 and 2027.³¹ Businesses must conduct a risk assessment for any applicable processing activity that began before January 1, 2026, and continues thereafter.³² Similarly to the cybersecurity audits, the full risk assessment reports may be subject to regulatory review or discovery, so businesses may consider employing a dual-track approach to protect privilege over certain materials.

Businesses must update their risk assessments at least every three years and within 45 days of a material change in an applicable processing activity, to ensure continued accuracy. A change is material if it creates new negative impacts, increases the magnitude or likelihood of negative impacts, or diminishes the effectiveness of safeguards.³³

Service Provider Obligations

Service providers and contractors have a direct obligation under the new regulations to cooperate with businesses’ efforts to comply with the new ADMT, cybersecurity audit, and privacy risk assessment standards.³⁴

For example, a business that provides ADMT to a customer business for making significant decisions must disclose all facts necessary for the customer business to conduct its own risk assessment and assist in responding to consumer requests.³⁵ Businesses must embed these requirements within applicable contracts, so businesses may need to revise contracts to comply.³⁶

Amendments to Existing CCPA Obligations

The new regulations also amend existing CCPA regulations in several important ways:

• Expanded Scope. The CCPA now applies to insurance companies that meet its applicability thresholds, in certain contexts.³⁷
• Enhanced Opt-Out Signal Processing. Businesses must configure websites to automatically display whether the business has processed a consumer’s opt-out preference signal as a valid request to opt out of sale/sharing.³⁸
• Real-Time Bidding. Businesses with websites that instantaneously share/sell personal information through real-time bidding must configure the website to comply immediately with a consumer’s opt out request, to the extent feasible (i.e., cannot take the 15 business days).³⁹
• Dark Patterns. The regulations increase scrutiny on symmetry in choice requirements and the prohibition of dark patterns, intended to crack down on design patterns that steer consumers toward reduced-privacy options.⁴⁰
• Sensitive Personal Information. The regulations expand the definition of sensitive personal information to include neural data and data of children under 16.⁴¹
• Privacy Policies. Businesses must update privacy policies to include rights to opt out of and access ADMT.⁴²

Businesses subject to the CCPA will need to move quickly to comply with the new regulations and meet the required reporting and certification deadlines. For guidance on how the new regulations may affect your organization, please contact Alston & Bird’s Privacy, Cyber & Data Strategy Team.

Ransomware Fusion Center

Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.

Endnotes

1. Cal. Civ. Code § 1798.140(g).
2. Cal. Code Regs. Tit. 11, §7001(e).
3. Cal. Code Regs. Tit. 11, §7001(e).
4. Cal. Code Regs. Tit. 11, §7001(ddd). Note that the November 22, 2024 initial proposal of the regulations included insurance, criminal justice services, and essential goods and services on this list. Under the finalized regulations, businesses that use ADMT for only these three categories will not be required to comply with the ADMT regulations.
5. Cal. Code Regs. Tit. 11, §7220(b-c).
6. Cal. Code Regs. Tit. 11, §7220(d).
7. Cal. Code Regs. Tit. 11, §7221(b)(1-3).
8. Cal. Code Regs. Tit. 11, §7221(n).
9. Cal. Code Regs. Tit. 11, §7222(a-b).
10. Cal. Code Regs. Tit. 11, §7222(c).
11. Cal. Code Regs. Tit. 11, §7001(k).
12. Cal. Code Regs. Tit. 11, §7120.
13. Cal. Code Regs. Tit. 11, §7121.
14. Cal. Code Regs. Tit. 11, §7001(t).
15. Cal. Code Regs. Tit. 11, §7123(c).
16. Cal. Civ. Code § 1798.82(g).
17. Cal. Code Regs. Tit. 11, §7123(c)(17)(A).
18. Cal. Code Regs. Tit. 11, §7123(b).
19. Cal. Code Regs. Tit. 11, §7122(d).
20. Cal. Code Regs. Tit. 11, §7122(a).
21. Cal. Code Regs. Tit. 11, §7123(e).
22. Cal. Code Regs. Tit. 11, §7124.
23. Cal. Code Regs. Tit. 11, §7150(b).
24. Under the initial proposal, businesses were required to conduct risk assessments and comply with ADMT obligations when processing personal information to train ADMT that could potentially be used for certain purposes. Now, intent is required.
25. Cal. Code Regs. Tit. 11, §7152(a).
26. Cal. Code Regs. Tit. 11, §7152(a)(3)(G).
27. Cal. Code Regs. Tit. 11, §7151 & §7152(a)(9).
28. Cal. Code Regs. Tit. 11, §7155(c).
29. The following statement must be included: “I attest that the business has conducted a risk assessment for the processing activities set forth in California Code of Regulations, Title 11, section 7150, subsection (b), during the time period covered by this submission, and that I meet the requirements of section 7157, subsection (c). Under penalty of perjury under the laws of the state of California, I hereby declare that the risk assessment information submitted is true and correct.” Cal. Code Regs. Tit. 11, §7157(b)(5).
30. Cal. Code Regs. Tit. 11, §7157(b).
31. Cal. Code Regs. Tit. 11, §7157(a).
32. Cal. Code Regs. Tit. 11, §7155(b). These risk assessments must be completed by December 31, 2027.
33. Cal. Code Regs. Tit. 11, §7155(a).
34. Cal. Code Regs. Tit. 11, §7050(h) and §7051(a)(5).
35. Cal. Code Regs. Tit. 11, §7153.
36. Cal. Code Regs. Tit. 11, §7051(a)(5).
37. Cal. Code Regs. Tit. 11, §7271(a).
38. Cal. Code Regs. Tit. 11, §7025(c)(6).
39. Cal. Code Regs. Tit. 11, §7026(f)(3)(A).
40. Cal. Code Regs. Tit. 11, §7004(a)(2-5).
41. Cal. Code Regs. Tit. 11, §7001(bbb).
42. Cal. Code Regs. Tit. 11, §7011(e)(2)(F-G).

If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.