More Unexpected Beach Reading for Privacy Pros as the CPPA Drops New Automated Decision-Making Rules and Cybersecurity Audit Requirements

Normally, in the dog days of summer, everyone’s planning (or off on) beach trips, rushing out the door to enjoy August family getaways, or simply taking some much-needed downtime. Apparently, the folks at the California Privacy Protection Agency (CPPA) are cut from a different mold, given the recent burst of productivity that came out of their July 24 board meeting.

For example:

• The agency updated their earlier proposed rulemaking on accessible deletion mechanisms, to comply with the Delete Request and Opt-Out Platform (DROP) rulemaking. The public comment period is open from July 31-August 18, 2025. 
• The CPPA provided a preview of trending privacy priorities in states like Colorado, Connecticut, Montana & Oregon. Hot topics include: minors’ privacy, access rights, geolocation data sales, and broadening the scope of  sensitive data categories. Given similar rumblings by Andrew Ferguson and the Federal Trade Commission (particularly about minors’ privacy and precise geolocation data), affected organizations should get out ahead on these issues.  

However, their biggest piece of productivity was voting to unanimously adopt a package of Proposed Regulations to the California Consumer Privacy Act (CCPA), which covers automated decision-making technologies (ADMT), risk assessments, and sweeping cybersecurity audit requirements. A summary of the changes can be found here, in case you’re not a fan of reading redlines.

Using Automation to Make Significant Decisions About Consumers? You’ve Got Some Risk(y) Assessment Business Ahead 

The new automated decision-making regulations establish a compliance framework for businesses that use ADMT to make "significant decisions" about consumers. The rules define "significant decisions" as those that result in the provision or denial of:

• Financial or lending services
• Housing
• Education enrollment or opportunities
• Employment or independent contracting opportunities or compensation
• Healthcare services. 

Key requirements under the regs include:

• Pre-Use notice (§ 7220): Businesses must provide consumers a “Pre-Use Notice” that explains the specific decision being made, the categories of personal information used by the decision-making system, and the consumer's right to opt out or appeal for human review. In response to earlier comments, the Agency clarified that the notice can be integrated into existing privacy notices (or notices of collection) to avoid duplication.
• Narrowed definition of ADMT (§ 7001): The definition of automated decision-making technologies has been narrowed from earlier draft versions, to encompass only technologies that replace or substantially replace human decision-making, and excluding technology that merely executes a decision or facilitates human decision-making. If a human remains ‘in-the-loop’ and able to override a computer saying no, it’s not ADMT.
• No Longer applicable to AI or behavioral advertising (§§ 7001 & 7153): The behavioral advertising threshold that would have triggered requirements has been removed. Similarly, references to “artificial intelligence” were struck off. However, the agency did set additional requirements that process personal information to train ADMT systems. 
• Robust risk assessments (Article 10, §§ 7150-7157): Risk assessments will be mandatory for a number of processing activities. The list of triggering activities include:
  • Selling or sharing personal information.
  • Processing sensitive data (other than for limited employment purposes).
  • Using automated decision-making for significant decisions – for example, decisions which result in the provision or denial of: loans, benefits, or financial support; housing, education enrollment or opportunities; employment or independent contracting opportunities or compensation; or healthcare services.
  • Training automated decision-making tools.
  • Profiling in for-profit educational and employment contexts.
  • Inferring consumer traits through automated processing.
• Evaluating risk is different in California: Risk assessments must consider not only traditional (read: financial) consumer harms, but also more intangible “negative impacts” to consumer privacy generally, such as discrimination based on protected classes, reputational and psychological harm, limiting or hindering consumers’ control over their data, and forcing consumers to allow for processing of their personal data without meaningful consent.
• Content and frequency (§ 7155): Risk assessments must weigh risks against benefits, document data flows and safeguards, and be updated at least every three years or when material changes occur. An earlier draft requiring that risk assessments be sent directly to the CPPA was dropped in favor of a requirement for an annual certified report detailing the number and types of risk assessments conducted and the categories of personal information involved. However, the agency and the California AG reserve the right to require more detailed information. 

Annual Cybersecurity Audits (Article 9 §§ 7120-7124) 

Separately, the regulations also introduce robust requirements for annual, independent cybersecurity audits. Audits are mandatory for companies that:

1. Derive 50 percent or more of annual revenues from selling or sharing consumers’ personal information in the preceding calendar year (aligning with CCPA threshold established in Civil Code section 1798.140(d)(1)(C)). 
2. Had annual gross revenues in excess of twenty-five million dollars AND 

(A) Processed the personal information of 250,000 or more consumers or households in the preceding calendar year; OR 

(B) Processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year.

This may exempt many small and medium-sized organizations, even where data volumes are large – provided their main business isn’t the sale or sharing of data. The deadlines are phased in, based on annual gross revenue:

• Businesses with >$100 million annual gross revenue (for 2026) must complete their first audit by April 1, 2028, covering the 2027 calendar year.
• Businesses with $50 million - $100 million annual gross revenue (for 2027) must complete their first audit by April 1, 2029, covering the 2028 calendar year.
• Businesses with <$50 million annual gross revenue (for 2028) must complete their first audit by April 1, 2030, covering the 2029 calendar year.

Annual audit reporting and certifications thereafter must be provided to the CPPA by April 1.

A few other key considerations for in-scope businesses include: 

• Independent & Holistic: Audits must be performed over a 12-month period starting January 1, by an independent, qualified professional (in-house or external), with expertise in cybersecurity and auditing, using recognized audit frameworks. This is often standard practice for large firms, but may create some challenges for smaller organizations that nonetheless trigger the data or  ‘sale or sharing’ thresholds. 
• Executive-Level Reporting: If an internal auditor is used, they must report directly to an executive who is not responsible for the cybersecurity program. Executive leadership must also sign off on the audits.
• Evidence-based Testing: Audits cannot rely primarily on assertions from the business, and must include evidence-based testing of security controls. Companies need to ensure they meet baseline “reasonable” security practices (similar to say, standards like PCI-DSS, ISO 27001, or SOC 2), including: 
  • The use of phishing-resistant multi-factor authentication (MFA) (i.e., no more SMS-based 2FA)
  • Ensuring that personal information is encrypted at rest and in transit
  • Having robust access control measures, limiting privileged accounts, and monitoring new accounts
  • Implementing secure configuration of hardware and software, system segmentation & isolation
  • Vulnerability & patch management (scans, penetration testing, automatic updates)
  • Logging and monitoring, intrusion detection/prevention, data loss prevention
  • Training & awareness
  • Documenting everything (including incident-response and business continuity planning).
• Inventory and Vendor Management: Businesses will need to build an inventory of their use of personal information, including data maps and flows, hardware and software inventories, and must ensure robust documentation and oversight to withstand regulatory scrutiny. Businesses should map all uses of automated decision-making and profiling and evaluate if they meet the "significant decision" threshold.  
• Documentation and Remediation: Businesses must document remediation plans for any identified gaps and retain audit records for five years. The audit report must be thorough and evidence-based, detailing evidence examined and status of gaps.
• Certification: Every calendar year where a business is required to complete a cybersecurity audit, it must submit a written certification of audit completion, signed by an executive in the business. The full audit report itself does not need to be submitted but may be subpoenaed. Also, it appears that self-assessments are possible. 

Don’t Play the Waiting Game

Organizations likely to be within scope of these regulations should take steps early, before the deadlines kick in. For some businesses, these audit and risk assessment provisions represent more of the same – as stated above, they largely mirror what’s mandated by existing industry or regulatory obligations & best practice guidelines. But for others, the risk assessment & auditing requirements will be net-new. And cybersecurity audits are rarely easy, especially when the business underestimates the time, cost, energy, and effort necessary to achieve good results. 

To avoid surprises later, in-scope and even ‘on-the-bubble’ enterprises should start by: 

1. Planning and budgeting accordingly. Compliance costs are likely to rise for many firms, especially those who don’t have auditing frameworks already in place. 
2. Identifying and documenting high-risk processing activities and sensitive data flows. Remember, if your company is using personal information to make automated decisions about people it’s a good idea to write down what you’re doing, and importantly, why you're doing it.
3. Demanding that vendors and service providers step up contractually. The days of thinking Data Protection Addendums are just for the Europeans are over.
4. Designing a risk assessment process that documents purpose, proportionality, and safeguards. 
5. Updating those privacy notices and transparency statements. Remember to include cases where automated decision-making is used prior to use, and provide opt-out rights to consumers. Listing third party service providers is also a best practice, as more laws demanding supplier transparency come into force.
6. Implementing controls to mitigate risks. Risk assessments and audits aren’t one-and-done affairs. The results of these assessments and audits must be acted upon by the business, and map to actual controls.
7. Start adopting best practice security standards now. That means ditching SMS 2FA in favor of app-based, or other secure solutions, locking down sensitive systems, applying patches & updates early and often, and investing in encryption, training, & secure software development practices.  
8. Start tracking the data. Get comfortable with data maps, data flows, and knowing where data lives and who it's being shared with. 
9. Remember, keeping humans-in-the-loop may help avoid (some) administrative burdens. When it comes to ADMT, your best bet is to use tools as a supplement to, not a replacement for, humans.

The regulations are pending final review with the California Office of Administrative Law, which has 30 business days to issue its determination. If approved, several of the proposed regulations would be effective as of January 1, 2026.