Cyber Risk Advisory

California Board approves more CCPA regulations: What businesses need to know

Gwen Takagawa

Gwen Takagawa

Senior Consultant, Coalfire (CIPP/US, CIPP/E, CIPM, PMP)

July 28, 2025
Coalfire Regulation

On July 24, 2025, the California Privacy Protection Agency (CPPA) approved new regulations defining the requirements for annual cybersecurity audits, routine privacy risk assessments, and the applicability of the California Consumer Privacy Act on automated decision-making technology (ADMT). 

This blog summarizes key elements for cybersecurity audits, privacy risk assessments, and ADMT, including: 

  • What is required?
  • Which businesses are in scope?
  • When are new compliance obligations due? 

The packet now goes to the Office of Administrative Law (OAL) for final approval. While some enforcement timelines are known and discussed below, some will be determined by the OAL. 

Cybersecurity Audit Compliance 

What is required? 

The new CCPA regulations mandate an annual cybersecurity audit completed by a qualified, objective, independent, professional cybersecurity auditor. 

  • Audits must be based on evidence deemed appropriate by the auditor (e.g., documents, samples, interviews)
  • Audits do not need to be net new and can leverage already-planned assessments against a framework. All CCPA requirements must be included directly or as a supplement to a framework, such as NIST Cybersecurity Framework 2.0.
  • In-scope companies must submit a written certification to the California Privacy Protection Agency. The written submission does NOT include a copy of the audit findings.
  • A member of the executive management team must attest in writing that the certification statements are true and correct. This individual must have direct responsibility for and be knowledgeable about the cybersecurity audit. 

Coalfire discussed previous versions of California’s regulations on cybersecurity audits here. The earlier analysis remains relevant in that it highlights which aspects of these requirements are mandatory, and which may be changed at the CPPA’s discretion. 

The CPPA Board has repeatedly indicated concern over the financial burden of the regulations on businesses. The analysis accompanying the final regulations estimates 71% of the financial burden on businesses will come from the annual cybersecurity audit obligation. 

Which businesses are in scope? 

Those businesses whose processing of consumer’s personal information (PI) presents a “significant risk” are in scope.  Such “significant risk” includes business that either:   

  1. Derives 50 percent or more of annual revenues from sale/share of consumer PI; OR
  2. Has annual gross revenue that exceeds the CCPA’s Consumer Price Index-adjusted threshold, currently $26.625M, AND one of the following:
  3. Processed the PI of 250,000 California consumers; OR
  4. Processed the sensitive personal information of 50,000 California consumers. 

That being said, all businesses in-scope for the CCPA have a mandate to implement “reasonable security.” The CPPA reduced the estimated financial burden of the cybersecurity audit requirements based on an assumption that: “All businesses should already be using an existing cybersecurity framework to comply with these existing requirements.” 

When are new compliance obligations due? 

The first deadline isn’t until April 2028, although preparation and documentation must begin at least a year prior. The regulations include a ramp-up period between 2025 and 2030, to allow smaller companies a longer window to come into compliance. 

This table summarizes the timelines by business size:  

 

Annual Gross Revenue Threshold First Annual Audit Reporting Period Due Date to Certify Audit Completion 
>$100M in 2026 1/1/2027 – 1/1/2028 April 1, 2028 
$50-100M in 2027 1/1/2028 – 1/1/2029 April 1, 2029 
<$50M in 2028 1/1/2029 – 1/1/2030 April 1, 2030 

 

After April 1, 2030, businesses must assess at the beginning of each calendar year if they are in-scope by the annual-gross-revenue definition.  If so, they must then complete a cybersecurity audit covering the next 12 months, due on April 1 of the following year. 

Privacy Risk Assessments 

What is required? 

The new CCPA regulations require formal, written assessments when businesses propose to use consumers’ personal information in ways that present “significant risk” to consumers’ privacy. The regulations define six cases that constitute “significant risk,” summarized below: 

  1. Selling or sharing personal information
  2. Processing sensitive personal information (exemption: certain employment situations)
  3. Using ADMT for “significant decisions” (more below)
  4. Automated processing making certain inferences in employment and educational contexts
  5. Automated processing specified inferences related to presence in a sensitive locations, such as healthcare centers, union/political offices, places of worship, etc.
  6. Using personal information to train ADMT to make “significant decisions about a consumer, for emotion-recognition, for identification (such as facial recognition ), or for consumer profiling. 

The goal is to restrict or prohibit processing of personal information where the risks to consumers’ privacy outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public. 

Additional obligations include: 

  • Risk assessments requirements include similar components to those required in other privacy laws, such as: data lifecycle, data retention, volume of consumers/data, disclosure mechanisms, involvement of third-parties, benefits and negative impacts of the processing, and safeguards for the data.
  • Risk assessments for related, comparable processing can be captured in a single risk assessment.
  • The risk assessment should consider broad potential negative impacts to consumers’ privacy, such as discrimination, reduced control over personal information, economic harms, physical harms, reputational harms, and psychological harms.
  • Personal responsibility for the risk assessment must be demonstrated by the person deciding to move forward with processing, and it should include the names and positions of all individuals who prepare, inform, review, and approve the assessment (including someone involved in data processing), except for legal counsel who provided legal advice. Sign-off must include someone with authority to participate in deciding whether or not to move forward with the data processing.  It cannot be handled solely by a separate compliance or legal function.
  • Annual reports must include the number of risk assessments and the types of significant risk requiring the assessment; the categories of personal data and sensitive personal data involved; and an attestation by a named, responsible member of the executive leadership team that the risk assessments have been completed as required. 

Coalfire discussed previous versions of regulations on privacy risk assessments here. This analysis compares California’s proposed risk assessment requirements with similar requirements in other states. California’s regulations explicitly seek to streamline multistate compliance and encourage businesses to use risk assessments prepared for other jurisdictions, supplemented if necessary to capture all California requirements.  

Which businesses are in scope? 

All businesses in-scope for the CCPA need to assess whether their processing of consumers’ personal information presents “significant risk,” discussed above.  

The CPPA reduced the estimated financial burden of the privacy risk assessments by removing behavioral advertising from the list of cases constituting significant risk. 

When are new compliance obligations due? 

The effective data is still being determined.  After the effective date risk assessments are required to be completed prior to processing activities that lead to “significant risk,” as described above. 

For any processing activities in effect prior to the effective date, the regulations allow businesses a grace period until December 31, 2027. 

Businesses are required to review risk assessments at least every three years, or within 45 calendar days of a material change relating to the processing activity. 

Businesses are also required to submit an annual report summarizing the risk assessments conducted in the reporting period. The first report is required April 1, 2028, covering risk assessments completed in 2026 and 2027.  

Automated Decision-Making Technology (ADMT): Risk assessments and opt-out mechanisms 

What is required? 

The new regulations add two significant ADMT requirements: 

  1. ADMT-specific requirements for risk assessments
  2. Mechanisms to opt-out of ADMT use, unless an exemption applies 

As noted under privacy risk assessments, certain uses of ADMT trigger requirements for risk assessments.  ADMT is broadly defined as using “computation to replace ... or substantially replace human decision making.”  Systems with human oversight are not included, though the human must be able to interpret system outputs, analyze outputs and other information necessary to make or overturn a decision, and have the authority to make or change the decision based upon the analysis. 

In addition to the requirements for privacy risk assessments more broadly, ADMT-specific assessments should note: 

  • The logic of the ADMT, including assumptions and limitations of the logic
  • The output of the ADMT, and how the business will use the output to make a significant decision. 

In addition to risk assessments, companies using ADMT for significant decisions must also: 

  • Provide consumers with a Pre-use Notice that informs them of the use of ADMT and their rights to opt-out of ADMT, access ADMT, and/or appeal the decision by ADMT. This must include an explanation of how ADMT makes significant decisions, and how that decision would be made if the consumer opts out. Some exceptions apply.
  • Opt-out mechanisms should correspond to the method by which the business interacts with consumers. Cookie banners may not comply with requirements because they are not specific to the right to opt-out of the use of ADMT. Businesses may offer the choice to allow specific uses of ADMT, but there must also be a single option to opt-out of all the business’s use of ADMT for significant decisions.
  • Businesses may not require consumers create an account in order to opt out of the use of ADMT. Similar to the opt out of sale and share of data, businesses must not require a verifiable consumer request to opt out of ADMT, although they may ask for information necessary to complete the request.
  • Businesses must provide a means by which the consumer can confirm that the business has processed their request to opt out of ADMT.
  • If the business already began processing the consumer’s data when they opted out of ADMT, the business must cease to process that information using ADMT as soon as feasibly possible, but no later than 15 business days from receipt of the request. The business must notify third-parties to whom the information has been disclosed that they must also comply with the opt-out within the same time frame.
  • Responses to ADMT-related access requests must include the specific purpose for the ADMT, information about the logic of the ADMT with respect to the decision made, and the outcome of the decision-making process for the consumer. The response need not include trade secrets or otherwise compromise the business’s cybersecurity or fraud prevention processes. ADMT access requests must follow consumer verification requirements. 

Which businesses are in scope? 

All businesses in-scope for CCPA should assess their use of ADMT for potential triggers. 

The regulations focus on “significant decisions.” In brief, these include “a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.” Each of these components is defined in the regulations. 

The scope of the CCPA regulations, and the extent to which artificial intelligence technologies should be regulated by the CPPA, has been a subject of much debate, by the CPPA’s Board, as well as in public comment and by legislators. By substantially narrowing the definition of ADMT included in the regulations, the CPPA estimates that only 10% of in-scope businesses will have responsibilities under the ADMT rules.  

When are new compliance obligations due? 

Businesses that use ADMT for significant decisions prior to January 1, 2027, must be in compliance no later than that date. Subsequent use must be in compliance with the regulations at the time ADMT is used for significant decisions. 

Next Steps for CCPA Privacy and Security Compliance 

While final dates for enforcement await confirmation by the OAL, businesses should begin preparing now. 

The phased timelines offer organizations the opportunity to build or enhance their compliance programs. Leveraging existing frameworks, such as the NIST Cybersecurity Framework and the NIST Privacy Framework, can help streamline these efforts and support cross-functional coordination. Maintaining an accurate data inventory, assigning clear accountability, and establishing procedures to assess and document privacy risks are all essential steps. 

Taken together, these regulations underscore the increasing convergence of privacy and security. Businesses that invest early in aligning their programs to these expectations will be better positioned to demonstrate compliance, manage risk, and uphold consumer trust as enforcement begins. 

*** 

Coalfire specializes in supporting businesses at every stage of cybersecurity and privacy program development. From readiness assessments and framework-based implementation to formal audit attestations, our team can help you navigate the new CCPA requirements. Whether this is your first formal privacy program or your fifteenth cross-mapped standard, Coalfire is prepared to meet your needs. 

Contact Us