CCPA Regulations on Cybersecurity, Risk Assessments, and ADMT: Across the Finish Line

As fall officially arrives, businesses are gearing up for another round of California privacy compliance obligations. The California Office of Administrative Law approved long-awaited regulations under the California Consumer Privacy Act (CCPA) on September 22, 2025.

The lengthy regulations, which cover automated decisionmaking technology (ADMT), cybersecurity audits, risk assessments, and other CCPA updates, go into effect January 1, 2026.  That said, many of the key substantive obligations under the regulations will not be enforceable until 2027 and beyond.

Key Takeaways

• A business must complete a cybersecurity audit if its processing of personal information presents a “significant risk” to consumers’ security. It must also submit a written certification to the Agency that it completed the audit as required.
• The earliest that a business would need to complete a cybersecurity audit report is April 1, 2028.

• A business must complete a risk assessment before initiating personal information processing if the processing presents “significant risk” to consumers’ privacy, which includes (but is not limited to) selling or sharing personal information, processing sensitive personal information, and using ADMT for a “significant decision.”
• For any ongoing processing activity requiring a risk assessment that the business initiated prior to January 1, 2026, the business must conduct and document an assessment no later than December 31, 2027.
• A business that uses ADMT to make a “significant decision” must comply with ADMT requirements, including (but not limited to) providing a Pre-use Notice and two or more mechanisms to opt out of ADMT.
• A business that uses ADMT for a significant decision prior to January 1, 2027 must comply with the regulations no later than January 1, 2027.
• The regulations make it mandatory to (1) display whether the business has processed the consumer’s opt-out preference signal as a valid opt-out request, and (2) for opt-out requests submitted through other means, provide a means by which a consumer can confirm that their request to opt out has been processed by the business.

Businesses subject to the CCPA should start preparing to comply with key obligations under the new regulations, including the following:

Cybersecurity Audits

• Applicability. A business must complete a cybersecurity audit if its processing of consumers’ personal information presents a “significant risk” to consumers’ security. Such processing is deemed to present a significant risk if either of the following is true:
• The business derived 50 percent or more of its annual revenues from selling or sharing consumers’ personal information in the preceding calendar year; or
• The business, as of January 1 of the calendar year, had annual gross revenues in excess of $25 million in the preceding calendar year (as adjusted for inflation) and either (a) processed the personal information of 250,000 or more consumers or households in the preceding calendar year or (b) processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year.
• Timing for compliance. The deadline for completing the first cybersecurity audit depends on the business’s annual gross revenue, with larger businesses having earlier compliance deadlines. The earliest that a business would need to complete a cybersecurity audit report is April 1, 2028 (covering the period from January 1, 2027, through January 1, 2028).
• Thoroughness, independence, and scope of cybersecurity audits and reports. The regulations contain detailed requirements regarding what a cybersecurity audit must cover and what the cybersecurity report must contain. Internal audits are permitted provided they are independent, and the highest-ranking auditor must report to a member of the business’s executive management team who does not have direct responsibility for the cyber program (the report itself must also be provided to executive management with direct responsibility for the cyber program). In addition, utilizing a cybersecurity assessment prepared for another purpose is permissible if it meets all requirements of the regulations, on its own or through supplementation. Notably, the report must describe in detail the status of any gaps or weaknesses deemed to increase designated risks to personal information.
• Certification of completion. For each calendar year that it is required to complete a cybersecurity audit, a business must submit a written certification to the Agency that the it completed the cybersecurity audit as required by the regulations. The written certification must be completed by a member of the executive management team who (i) is directly responsible for cybersecurity-audit compliance, (ii) has sufficient knowledge of the audit to provide accurate information, and (iii) has the authority to submit the certification.
• Retention. The business and auditor must retain all documents relevant to the audit for at least five (5) years.

Risk Assessments

• Applicability. As with the cybersecurity audit, a business must complete a risk assessment before initiating personal information processing if the processing presents “significant risk” to consumers’ privacy, which includes:
• Selling or sharing personal information;
• Processing sensitive personal information (with limited exceptions for employee/contractor sensitive information processing);
• Using ADMT for a significant decision concerning a consumer (“significant decision” is defined in the regulations as including decisions that impact financial or lending services, housing, education, employment, or healthcare; notably, a significant decision does not include advertising to a consumer);
• Using automated processing to infer or extrapolate certain aspects of a consumer (their intelligence, ability, performance at work, preferences, health, economic situation, or location, among others) based upon (i) systematic observation of that consumer when they are acting in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor for the business or (ii) the consumer’s presence in a “sensitive location” (as defined under the regulations), excluding using a consumer’s personal information solely for delivery of goods or provision of transportation to a sensitive location; or
• Processing consumer personal information that the business intends to use to train an ADMT for a significant decision concerning a consumer, or training technology for identity verification, physical or biological identification, or profiling.
• Requirements. The regulations detail what must be included in a risk assessment, such as operational elements of the planned processing, benefits of the processing, negative privacy impacts of the processing, and privacy safeguards that the business plans to implement. The purpose and benefits of processing cannot be listed generically (e.g., improve the services); however, if the service improvement is to enhance consumers’ privacy rights (e.g., decreasing wait times to process privacy rights requests), that use case is an acceptable purpose/benefit under the regulations.
• While the assessment report must identify the individuals who provided information for it, legal counsel providing legal advice may be excluded. The assessment must be reviewed and approved by an individual with authority to participate in deciding whether to engage in the processing.
• Additional ADMT Requirements. A business that makes ADMT available to another business to make a “significant decision” must provide the recipient business with all facts available that are necessary for the recipient to conduct its own risk assessment.
• Timing. A risk assessment must be completed before initiating the processing activity and must be regularly reviewed and updated in accordance with the regulations. For any ongoing processing activity requiring a risk assessment that the business initiated prior to January 1, 2026, the business must conduct and document an assessment no later than December 31, 2027. For risk assessments conducted in 2026 and 2027, a business must submit certain information to the Agency (as detailed in the regulations) no later than April 1, 2028.
• Retention. Risk assessments (both original and updated versions) must be retained for as long as the processing continues or for five (5) years after the risk assessment completion, whichever is later.

ADMT

• ADMT definition. The regulations define ADMT as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.” ADMT also includes “profiling” as defined under the CCPA.
• Scope and requirements. A business that uses ADMT to make a “significant decision” (see above) concerning a consumer must comply with ADMT requirements, including:
• Providing consumers with a Pre-use Notice as detailed in the regulations.
• With certain exceptions, providing consumers with two (2) or more mechanisms to opt out of a business’s use of ADMT to make a significant decision, including, where a business interacts with consumer online, by providing an opt-out link that leads to an interactive opt-out form; and
• Appropriately responding to a consumer’s request to access ADMT, including providing information about the logic of the ADMT and the outcome of the decisionmaking process for the consumer (excluding certain information like trade secrets or information that would compromise the ability to protect against security incidents, fraud, and physical safety).
• Timing. A business that uses ADMT for a significant decision prior to January 1, 2027 must comply no later than January 1, 2027. A business that uses ADMT on or after January 1, 2027 must comply any time it is using ADMT for a significant decision.

General CCPA Updates

• Sensitive information. The regulations update the definition of “sensitive personal information” to include personal information of consumers who, according to the business’s actual knowledge, are less than 16 years old. A business that willfully disregards a consumer’s age will be deemed to have had actual knowledge of the consumer’s age.
• Opt-out confirmation and links. The regulations make it mandatory (as opposed to optional) to (1) display whether the business has processed the consumer’s opt-out preference signal as a valid opt-out request, and (2) for opt-out requests submitted through other means, provide a means by which a consumer can confirm that their request to opt out has been processed by the business.
• The regulations also make it mandatory (as opposed to optional) to provide an opt-out link directly within a mobile application, such as through the app’s settings menu.
• Prohibited methods of obtaining consent.  The regulations provide additional examples of prohibited methods of obtaining consent, including where a consumer closes or navigates away from a pop-up window that requests consent without first affirmatively selecting the equivalent of “I accept” or by using toggles that state “on” or “off” without including further clarifying language.
• Requests to know. For personal information collected on or after January 1, 2022, businesses must specifically provide a means by which a consumer can request that the business provide their personal information collected prior to the 12-month period preceding the request, such as by selecting a date range. In addition, when responding to a request to know, a business will need to provide the categories of service providers or contractors to whom the business disclosed personal information.