Understanding New CCPA Regulations: A Guide for Businesses

The California Consumer Privacy Act (CCPA) has long been at the forefront of data privacy legislation in the United States. With the California Privacy Protection Agency’s recent finalization of regulations under the CCPA, businesses need to pay close attention to the implications for their operations. This article dives deep into essential aspects of these regulations, especially for those utilizing automated decision-making technology (ADMT).

Key Updates to CCPA Regulations

On September 23, 2025, significant changes were approved, establishing a comprehensive framework for businesses that handle California consumers’ information. The new regulations go into effect on January 1, 2026, and come with specific requirements that will reshape governance for many organizations. Key updates include:

• ADMT Regulations: Businesses must be aware of obligations related to automated decision-making for significant consumer decisions.
• Risk Assessments: Mandatory evaluations are required for processing activities that pose a significant risk to consumer privacy.
• Cybersecurity Audits: Businesses will need to conduct annual cybersecurity audits, which could necessitate significant resources and preparation.

The Importance of These Changes

Why do these updates matter? The CCPA regulations now impose explicit requirements that will necessitate actionable changes for many organizations. Businesses must implement:

• Clear consent and opt-out procedures for handling personal information.
• Comprehensive disclosures about their cybersecurity practices and the use of ADMT in decision-making.
• Detailed risk assessments to ensure compliance and safeguard consumer privacy.

Understanding Automated Decision-Making Technology (ADMT)

The focus on ADMT is particularly notable. Defined narrowly, ADMT encompasses technologies that process personal information and leverage computation to replace or significantly alter human decision-making. “Significant decisions” are categorized as those that impact financial, educational, housing, health care, or employment outcomes—excluding advertising considerations.

Requirements for Businesses Utilizing ADMT

Starting April 1, 2027, organizations employing ADMT for important decisions must be prepared to:

• Conduct comprehensive risk assessments.
• Provide consumers with a clear pre-use notice outlining ADMT utilization.
• Offer opt-out options for consumers, barring specific exceptions.
• Facilitate consumer access to the logic behind their ADMT usage and its implications.
• Allow consumers to appeal decisions made via ADMT.

Conducting Risk Assessments

Risk assessments are a critical component of compliance. Under the new regulations, businesses deemed to pose significant risks to consumer privacy must thoroughly evaluate their processing activities. Trigger points for mandatory assessments include:

• Selling or sharing personal information for cross-context behavioral ads.
• Processing sensitive personal data.
• Utilizing ADMT for significant decisions.
• Profiling based on sensitive contexts.

The assessments should identify negative impacts, such as potential discrimination or reputational harm, associated with data processing activities. They must be retained for five years and may be conducted in tandem for similar processing activities.

Cybersecurity Audits Explained

Cybersecurity remains a cornerstone of the CCPA regulations. Businesses must perform independent annual cybersecurity audits if their processing activities present a significant risk to consumer security. Key thresholds for compliance include:

• Businesses earning over 50% of revenue from personal information sales.
• Those with annual revenues over $25 million and processing large volumes of consumer data.

Each audit needs to be executed by an independent authority utilizing recognized standards and must cover essential components of the business’s cybersecurity framework. An annual certification of audit completion is required to be submitted to the CPPA.

Preparing for Compliance

As businesses navigate the new landscape of CCPA compliance, proactive steps are essential. Here are several recommended actions:

• Inventory ADMT Usage: Identify current and future uses of ADMT, focusing on processes in hiring or customer profiling.
• Framework Development: Start developing risk assessment templates to evaluate processing activities that may require closer scrutiny.
• Cybersecurity Review: Assess existing cybersecurity measures to align with the core components outlined in the audit requirements.
• Consumer Communication: Revise privacy policies and consumer-facing materials to comply with the updated CCPA requirements.

As the landscape of consumer privacy continues to evolve, businesses must remain vigilant and prepared for the impending changes. Understanding these new regulations is essential to not only comply with the law but also to foster trust with California consumers.