On July 24, 2025, the California Privacy Protection Agency (CPPA) unanimously voted to adopt significant regulatory updates to the California Consumer Privacy Act (CCPA). These updates introduce strict requirements around Automated Decision-Making Technology (ADMT), cybersecurity audits, risk assessments, and clarifications for insurance companies.

Before these rules take effect, they will undergo review by the California Office of Administrative Law. However, organizations cannot afford to wait. The scope and complexity of these updates mean businesses must begin preparing immediately.

Key Regulatory Updates

1. Automated Decision-Making Technology (ADMT)

The CPPA has expanded ADMT requirements to ensure greater transparency and accountability.

• Broad Coverage: AI, machine learning, and even rule-based systems such as spreadsheets and databases fall under the new rules when used in critical areas like healthcare, employment, credit and lending, housing, education, or contracting.
  
• Consumer Rights: Businesses must provide clear, pre-use disclosures and give consumers the right to opt-out. A structured appeals mechanism with human oversight must also be established.
  
• Risk Assessments and Recordkeeping: Companies must conduct in-depth risk assessments at both training and deployment stages, maintain detailed records of disclosures and consumer requests, and update vendor agreements to align with compliance requirements.

2. Cybersecurity Audits

Cybersecurity audits are now mandatory, with timelines tied to business size:

• Annual gross revenue ≥ $100M: Effective April 1, 2028
  
• Annual gross revenue $50M–$100M: Effective April 1, 2029
  
• Annual gross revenue < $50M: Effective April 1, 2030
  

Audit reports must include detailed documentation of policies, procedures, criteria, and evidence reviewed. This ensures businesses can demonstrate proactive protection of consumer data.

3. Risk Assessments

High-risk data processing will require businesses to conduct ongoing risk assessments. Beginning April 1, 2028, organizations must submit annual attestations confirming that assessments were conducted in the prior year.

This mandate underscores the state’s shift toward continuous accountability, not just one-time compliance.

4. Clarifications for Insurance Companies

The CPPA has specifically addressed how CCPA obligations apply to insurance companies. This clarification closes gaps in interpretation and ensures consistent consumer protections across the industry.

Compliance Timeline at a Glance

• ADMT Compliance: January 1, 2027
  
• Cybersecurity Audits: April 1, 2028–2030, depending on business size
  
• Risk Assessment Attestation: Annually from April 1, 2028

What Businesses Should Do Now

With deadlines approaching, businesses should begin implementing compliance strategies right away:

1. Inventory ADMT Use Cases

Catalog all automated decision-making tools currently in use and planned, including third-party solutions. Assess where they intersect with sensitive areas like healthcare, lending, and employment.

2.Strengthen Consumer Rights Processes

Design clear, accessible opt-out options and appeal mechanisms. Ensure consumers understand how automated decisions impact them through transparent disclosures.

3. Update Vendor Agreements

Amend contracts with third-party providers to require cooperation in data sharing, audit support, and compliance reporting. Vendors must play an active role in meeting obligations.

4. Implement Risk & Audit Frameworks

Develop structured processes for evaluating risks tied to high-risk data processing. Begin preparing for cybersecurity audits by reviewing policies, procedures, and security controls.

5. Enhance Recordkeeping Practices

Keep thorough logs of consumer disclosures, opt-out requests, appeals, and compliance activities. Strong documentation will serve as proof of accountability during regulatory reviews.

Final Thoughts

The CPPA’s July 2025 updates to the CCPA mark a decisive step toward stricter consumer protection and accountability in the age of AI and high-risk data processing. With deadlines looming as early as 2027, businesses must start compliance efforts now rather than waiting for formal enactment. 

Organizations that act early with the support of compliance-focused solutions like Redacto not only reduce the risk of regulatory penalties but also build consumer trust by demonstrating a commitment to privacy, transparency, and responsible use of technology.