CCPA ADMT, Cybersecurity Audit, and Risk Assessment Rules Finalized

In July 2025, the California Privacy Protection Agency (CPPA) board finalized CCPA rules governing automated decision-making technology (ADMT), risk assessments, and cybersecurity audits. The vote took place after a rulemaking process that was more than a year long and included lobbying from the tech industry, business groups, and even Governor Gavin Newsom. The CPPA board received hundreds of comments.

Here’s a look at some of the updated CCPA rules.

Automated Decisionmaking Technology

The finalized rules include the following requirements for the use of automated decisionmaking technology:

• Businesses that use ADMT to make a significant decision concerning a consumer must provide consumers a pre-use notice that informs them about the use of ADMT. The notice must be prominently presented to consumers before the business collects data that will be processed using ADMT. The notice must explain the specific purpose the business will use the ADMT for in plain language and how consumers can opt out.
• Businesses must provide people the ability to opt out of the use of ADMT to make a significant decision concerning the consumer, with the following exceptions:
  • The business provides the consumer with a method to appeal the decision to a qualified human reviewer who has the authority to overturn the decision.
  • Admission, acceptance, or hiring decisions
  • Allocation/assignment of work and compensation decisions

The CCPA defines automated decisionmaking technology as “any technology that processes personal information and uses computation to replace human decisionmaking, or substantially replace human decisionmaking.”

CCPA Risk Assessment Requirements

The CCPA requires businesses to conduct a risk assessment before processing data in a manner that presents significant risk to a consumer’s privacy. This round of CCPA updates added the following processes to the list of activities that present a significant risk:

• Using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, location, or movements, based upon systematic observation of that consumer when they are acting in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor for the business.
• Using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, or movements, based upon that consumer’s presence in a sensitive location. “Infer or extrapolate” does not include a business using a consumer’s personal information solely to deliver goods to, or provide transportation for, that consumer at a sensitive location.
• Processing the personal information of consumers, which the business intends to use to train an ADMT for a significant decision concerning a consumer; or train a facial-recognition, emotion-recognition, or other technology that verifies a consumer’s identity, or conducts physical or biological identification or profiling of a consumer. For purposes of this paragraph, “intends to use” means the business is using, plans to use, permits others to use, plans to permit others to use, is advertising or marketing the use of, or plans to advertise or market the use of.

CCPA Cybersecurity Audit Requirements

The revised CCPA rules place the following cybersecurity audit deadlines on businesses:

• April 1, 2028, if the business’s annual gross revenue for 2026 was more than $100,000,000 as of January 1, 2027. The audit would cover the period from January 1, 2027, through January 1, 2028.
• April 1, 2029, if the business’s annual gross revenue for 2027 was $50,000,000 and $100,000,000 as of January 1, 2028. The audit would cover the period from January 1, 2028, through January 1, 2029.
• April 1, 2030, if the business’s annual gross revenue for 2028 was less than $50,000,000. The audit would cover the period from January 1, 2029, through January 1, 2030.

The CCPA requires cybersecurity audits to assess how the business’s cybersecurity program protects personal information from unauthorized access, destruction, use, modification, or disclosure, which can include, but are not limited to:

• Authentication
• Encryption
• Account management and access control
• Inventory and management of personal information and the business’s information system
• Hardware and software configuration
• Penetration testing and vulnerability scans
• Network monitoring
• Data maps
• Data Inventories
• Data Classifications

CompliancePoint has a team of experienced privacy professionals dedicated to helping organizations comply with privacy regulations, including the CCPA, GDPR, and all other applicable state laws. Reach out to us at connect@compliancepoint.com to learn more about how we can help.