In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations.  These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.

The updates arrive alongside a signal of the agency’s intensifying enforcement stance.  CPPA staff revealed that hundreds of active investigations are already underway—many involving businesses that have yet to realize they’re under scrutiny.

As 2026 approaches, businesses must prepare for more stringent privacy obligations and heightened enforcement risk.  The message from regulators is clear: compliance must be robust, proactive, and thoroughly documented.  These new rules—years in the making and shaped by extensive public engagement—are not just another layer of red tape.

The following is a short summary of the new and revised regulations. 

New Obligations

Automated Decision-Making Technology (ADMT)

The ADMT regulations govern the use of AI or algorithms in decisions that significantly impact consumers in:

1. Financial services
2. Housing
3. Education
4. Employment
5. Healthcare

Consumers will have certain rights (subject to exceptions) regarding use of ADMT.  The rights include: 

1. The right to opt-out of ADMT for significant decisions
2. The right to access information about ADMT logic, personal information processed, outcomes, and human involvement.

Appeal process can replace the opt-out requirement.

Businesses must issue a pre-use notice disclosing ADMT use and consumer rights.

Effective January 1, 2027

Risk Assessments

Risk assessments are required where a business processes consumers’ personal information that presents “significant risk” to consumers’ privacy.  “Significant risk” exists if the business is:

1. Selling or sharing personal information
2. Processing sensitive personal information
3. Using ADMT for a significant decision
4. Using automated processing for infer characteristics

The business must include detailed documentation, purpose, safeguards, logic of processing, and approval records.

1. For risk assessments conducted in 2026 and 2027, the business must submit the risk assessment no later than April 1, 2028.
2. For risk assessments conducted after 2027, the business must submit the risk assessment no later than April 1 the following year.

Reports must be updated every 3 years and retained for at least 5 years.

Cybersecurity Audits

Businesses are required to complete annual cybersecurity audits if the processing of personal information presents a “significant risk” to the consumers.  Significant risk exists where:

1. The business derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information; or
2. The business is subject to the CCPA; and
   1. Processed personal information of 250,000 or more consumers in the preceding calendar year; or
   2. Processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year.

The cybersecurity audit requirements include the following:

1. The business must assess its cybersecurity program, including policies and procedures.
   1. The regulations enumerate 18 components that must be assessed.
2. The business must produce a cybersecurity audit regarding the assessment.
   1. Audit can be internal of external
   2. However, for internal audit, there are additional requirements to report directly to a member of the business’s executive management team who does not have direct responsibility for the business’s cybersecurity program.

The business must submit certifications to the CPPA by:

1. April 1, 2028, if the business makes over $100 million;
2. April 1, 2029, if the business makes between $50 million and $100 million; or
3. April 1, 2030, if the business makes less than $50 million.

Changes to Existing Obligations

1. Businesses must confirm to consumers that their opt-out requests (including browser signals) were honored.
2. New requirements for privacy policies, effective Jan 1, 2026 include the following:
   1. Mobile apps must include a privacy policy link.
   2. Sensitive personal information now includes minors’ data and neural data.
   3. Must explicitly state the consumers’ right to non-retaliation for exercising privacy rights.
   4. Disclosures regarding ADMT rights.
3. Extended Access Rights
   1. Consumers can request personal information collected since January 1, 2022, not just from the past 12 months.

Next Steps

Given the enforcement actions by the CPPA and these new stringent requirements, business should allocate in their 2026 budget sufficient funds and project resources for compliance with these requirements.