info@thewbkfirm.com
202.628.2000

State Regulatory Developments

CA Finalizes Updated Privacy Regulations

02 Oct 2025

The California Privacy Protection Agency (CPPA) approved updated regulations governing requirements for cybersecurity audits, risk assessments on consumer data practices, and use of automated decisionmaking technology (ADMT).

Businesses whose processing of consumers’ personal information presents significant risk to consumers’ security must complete annual cybersecurity audits.  Among other things, these audits must evaluate whether the company’s cybersecurity program protects consumer information from unauthorized use or disclosure; whether the program is appropriate for the size, nature, and complexity of the business, taking into account the state of the art and costs of implementation; how the business implements and enforces compliance with its cybersecurity program; and the business’s use of certain technical controls and other features.  Businesses must submit annual certifications to the CPPA that they completed these cybersecurity audits as required.

Before starting any processing of consumer information, businesses must also conduct a risk assessment to determine whether the risks to consumer privacy from the proposed activity outweigh the benefits to the consumer, the business, other stakeholders, and the public.  The regulations provide various factors to consider in making this assessment, and businesses must review and update these risk assessments over time or when making material changes.  Further, businesses must submit reports and attestations about these risk assessments to the CPPA.

Finally, the regulations create new requirements related to ADMT used for “significant decisions,” which includes the provision or denial of financial or lending services and housing.  ADMT refers to technology that processes personal information and uses computation to replace or substantially replace human decisionmaking.  Among other things, businesses will need to provide pre-use notice to consumers about the business’s use of ADMT, the consumer’s right to opt-out of ADMT, and consumer’s right to access additional information about the company’s ADMT with respect to that consumer.

The effective date of the revised regulations is January 1, 2026, though some requirements have later compliance dates or apply staggered compliance dates based on the size of the business.