California Adopts CCPA Regulations on Risk Assessments and Cybersecurity
Summary
The California Privacy Protection Agency has adopted final regulations updating the CCPA. These regulations implement requirements for risk assessments, annual cybersecurity audits, and consumers' rights regarding automated decision-making technology, effective January 1, 2026.
What changed
The California Privacy Protection Agency (CPPA) has finalized new regulations under the California Consumer Privacy Act (CCPA). These updates, effective January 1, 2026, introduce mandatory requirements for certain businesses to conduct risk assessments and annual cybersecurity audits. Additionally, the regulations clarify consumers' rights to access and opt-out of the use of Automated Decisionmaking Technology (ADMT) by businesses, and provide specific guidance on when insurance companies must comply with the CCPA.
Businesses operating in California that meet the criteria for these new requirements must prepare to implement these changes by the effective date. This includes establishing processes for conducting risk assessments and cybersecurity audits, and updating systems and policies to accommodate consumer rights related to ADMT. Compliance with these updated regulations is crucial to avoid potential enforcement actions by the CPPA.
What to do next
- Review updated CCPA regulations for applicability to business operations.
- Develop and implement processes for conducting risk assessments and annual cybersecurity audits.
- Update systems and policies to address consumer rights regarding Automated Decisionmaking Technology.
Source document (simplified)
- Home
- Regulations
- CCPA Updates
CCPA Updates, Cybersecurity Audits, Risk Assessments,
Automated Decisionmaking Technology (ADMT), and Insurance Regulations
On July 24, 2025, the California Privacy Protection Agency (Agency) Board adopted regulations that (1)
updated existing CCPA regulations; (2) implemented requirements for certain businesses to conduct risk
assessments and complete annual cybersecurity audits; (3) implemented consumers' rights to access and
opt–out of businesses' use of ADMT; and (4) clarified when insurance companies must comply with the
CCPA.
Effective Date: January 1, 2026
Status of the Proposal: The rulemaking is complete. On September 22, 2025, the regulations
were approved by the Office of Administrative Law and filed with the Secretary of State.
Documents
September 22, 2025 – Final Rulemaking Documents
- Notice of Approval
- Approved Regulations Text
- Final Statement of Reasons and Updated Informative Digest
- Final Statement of Reasons – Appendix A (45-Day Comment Summaries and Responses)
- Final Statement of Reasons – Appendix B (15-Day Comment Summaries and Responses)
Final Economic and Fiscal Impact Statement (STD
399)
May 9, 2025 – Public Notice of Modifications to Proposed RegulationsNotice of Modifications to Text of Proposed
Regulations and Additional Materials Relied UponModified Text of Proposed Regulations
January 13, 2025 – Public Notice of Extension of Comment PeriodNotice of Extension of Public Comment Period and Additional Hearing
Date
November 22, 2024 – Public Notice of Rulemaking and Related DocumentsNotice of Extension of Public Comment Period and Additional Hearing
DateInitial Statement of Reasons Appendix A:
Standardized Regulatory Impact Assessment
Public Comments
Comments received during the initial 45-day comment period are linked below.
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 1
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 2
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 3
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 4
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 5
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 6
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 7
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 8
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 9
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 10
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 11
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 12
- CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations Written Comments Part 13
CCPA Updates, Cyber,
Risk, ADMT, and Insurance Regulations Written Comments Part 14Transcript of comments received
during February 19, 2025 Public Comment Hearing
Comments received on modified text during the 15-day comment period are linked below.CCPA Updates, Cyber, Risk, ADMT, and
Insurance Regulations Written Comments – Part 1CCPA Updates, Cyber, Risk, ADMT, and
Insurance Regulations Written Comments – Part 2CCPA Updates, Cyber, Risk, ADMT, and
Insurance Regulations Written Comments – Part 3CCPA Updates, Cyber, Risk, ADMT, and
Insurance Regulations Written Comments – Part 4
Preliminary Rulemaking Activities
The Agency solicited preliminary written comments from the public via an Invitation for Preliminary Comments on Proposed
Rulemaking on the following topics: CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated
Decisionmaking Technology (ADMT), and Insurance Companies from February 10, 2023 through March 27, 2023.
That period has closed, and the public comments are available via the links below.
Comments received during preliminary public comment period
Comments received after close of preliminary public comment period
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Privacy Regulation alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CPPA California Privacy Rulemaking publishes new changes.