CPPA Board Finalizes New Rules on ADMT, Cybersecurity Audits, and Risk Assessments

The California Privacy Protection Agency (CPPA) board unanimously voted on July 24, 2025 to finalize a package of regulations related to automated decision-making technology (ADMT), cybersecurity audits, and risk assessments. The long-awaited regulations establish additional requirements on certain businesses operating in California, and are now pending final review by the Office of Administrative Law.

Requirements established by the new regulations include the following:

• ADMT is now limited to technology that makes significant decisions about consumers without human involvement—when companies use ADMT in that way, they must provide consumers with certain rights, including notice of the use of ADMT, the right to opt out, and the right to appeal ADMT decisions
• Businesses must complete an annual cybersecurity audit when their processing of personal information imposes a significant risk on consumer privacy and certify their audit to the CCPA
• Businesses must also maintain updated risk assessments when their use of personal information could be a significant risk to consumer privacy

Additionally, the CPPA revised certain existing regulations to the California Consumer Privacy Act (CCPA). Those changes are detailed further below.

AUTOMATED DECISION-MAKING TECHNOLOGY

Under the new regulations, the CPPA defines what constitutes AMDT amid its growing use and associated data security risks. ADMT is defined in the new rules as technology that processes personal information “to replace human decisionmaking or substantially replace human decision-making.” “Substantially replace human decisionmaking” is defined as when a business uses the technology to make a decision “without human involvement.”

The regulations state that human involvement means the human reviewer (1) knows how to interpret the technology’s output, (2) affirmatively reviews the technology’s output to make a decision, and (3) has actual authority to make or change the technology’s decision based on his or her own analysis.

Next, the rules limit the reach of the ADMT provisions only to companies that use ADMT to make a significant decision about consumers. ADMT provisions require human oversight in significant decisions. A “significant decision” is one that relates to financial or lending services, housing, education, employment, or healthcare services.

If the definition applies, a business needs to provide consumers with certain rights. In particular, a business must provide notice of its use of ADMT, which must be displayed at or before the point of collection. The notice must describe what personal information will be used in the ADMT technology and the purposes for which the technology will be used. Additionally, a business must allow a consumer to opt out of its use of ADMT and appeal any decisions made using that technology, both of which must be disclosed in the ADMT notice.

Of note, early versions of this rule included restrictions on the use of artificial intelligence (AI) technology more generally. Those highly controversial ADMT restrictions on AI were removed from the final rule package to allow the California legislature to weigh in prior to any further CPPA rulemaking.

CYBERSECURITY AUDITS

The CPPA also adopted rules required by the California Privacy Rights Act (CPRA), which amended the CCPA, defining the scope of businesses’ mandatory annual cybersecurity audits. Cybersecurity audits must be performed where processing of consumers’ personal information may be a “significant risk” to consumers’ security—that is, if the business derives 50% of its annual revenue from selling or sharing personal information; has annual gross revenues exceeding $26,625,000; or annually processes personal information of more than 250,000 consumers or sensitive personal information of more than 50,000 consumers.

Under the new rules, cybersecurity audits must follow standardized procedures and be completed by an independent auditor knowledgeable about cybersecurity and cybersecurity audits. The auditor can be internal or external, but if the business uses an internal auditor, that individual must report to member of the business’s executive management team who does not have cybersecurity responsibility.

The rules establish a number of categories of information that the auditor must review, if applicable, including the following:

• Authentication/passwords
• Encryption of personal information
• Account management and access controls
• Inventory of personal information
• Vulnerability scanning and penetration testing
• Audit log management
• Network monitoring and defenses
• Cybersecurity awareness and education
• Retention schedules
• Incident response management

The CPPA adopted a phased timeline for these cybersecurity audits based on business size:

• Businesses with gross revenue of more than $100 million, the audit must cover the year 2027;
• Businesses with gross revenue between $50 million and $100 million, the audit must cover 2028;
• Businesses with gross revenue less than $50 million, the audit must cover 2029.

All audits must be completed annually thereafter, and an annual certification of completion must be submitted to the CCPA by April 1 following the reporting period.

RISK ASSESSMENTS

The CPPA also finalized rules related to businesses’ risk assessments. Under the new rules, businesses must complete a risk assessment when there is a “significant risk” to consumer privacy, which includes

• selling or sharing personal information;
• processing sensitive information;
• using ADMT for significant decisions; or
• using automated processing to infer personal characteristics during education, job seeking, employment, or independent contracting.

Businesses are obligated to update their risk assessments at least every three years and submit a summary report to the CPPA. The rules also acknowledge that businesses may rely on risk assessments prepared for another purpose so long as those assessments meet the new regulations. Businesses will have until December 31, 2027 to complete their risk assessments, with the first summary reports due to the CPPA by April 1, 2028.

CCPA REVISIONS

Finally, the CPPA included certain changes and updates to the CCPA regulations it previously issued, including imposing the following requirements:

• Any requests to opt-out must be the same or fewer steps than the method to opt-in (e.g., for cookie management)
• Links to a company’s privacy policy must be on any webpage that collects personal information
• Consumers may request from companies their personal information collected beyond the prior 12 months, to the extent it exists

NEXT STEPS

The rules now head to the California Office of Administrative Law for approval before taking effect. The Office of Administrative Law has 30 days to approve the rules.

In the meantime, businesses may want to evaluate application and start developing processes to ensure compliance with these new regulations. While these new rules are less onerous than some of the draft rules that were offered, and while the CPPA provided lead time for phased implementation, compliance may still require substantial planning and updates to existing systems.

Recommended Actions:

• Businesses that use ADMT for significant decisions without meaningful human review should revise their privacy policies and implement systems to provide notice of their ADMT usage
• Businesses that process consumer personal information with “significant risk” should begin identifying the categories of information to be covered by a cybersecurity audit and consider engaging qualified auditors given that the audit process will likely take time and refinement.
• Businesses required to conduct risk assessments should begin analyzing their internal processes to ensure all regulatory elements are addressed well before the end of 2027.

HOW WE CAN HELP

Our lawyers are well situated to help companies navigate the CCPA and accompanying rules and regulations, as well as other consumer privacy laws. For additional information, please see our US Consumer Privacy Acts page, which includes a state consumer privacy compliance checklist and a California-specific checklist. Our team stands ready to assist businesses in this evolving and challenging regulatory landscape.