CPPA finalizes rules on ADMT, risk assessments, and cybersecurity audits requirements under the CCPA

Alert
|
11 min read
F. Paul Pittman |
Hope Anderson |
Abdul M. Hafiz |
Yuhan Wang |
Nathan Swire

On September 23, 2025, the California Office of Administrative Law (OAL) approved the final regulations proposed by the California Privacy Protection Agency (CPPA) on July 24, 2025 related to automated decision-making technology (ADMT), privacy risk assessments, and cybersecurity audits. The new regulations mark a nearly six-year journey from being proposed as amendments to the original version of the California Consumer Privacy Act (CCPA) to final regulations. The updated regulations will require impacted businesses to assess and document the risks of their data processing and cybersecurity practices, and incorporate certain notices and extend consumer choice mechanisms to consumers subject to ADMT. These regulations reflect a significant increase in the compliance obligations imposed on businesses under the CCPA, and as a result a long implementation window is provided to business to get into compliance. For risk assessments requirements, applicable businesses must comply by January 1, 2026 and submit documentation to the CPPA by April 1, 2028. For ADMT, applicable businesses must comply by January 1, 2027. For cybersecurity audits, applicable businesses must submit certifications to the CPPA by: April 1, 2028, for businesses making over $100 million; April 1, 2029, for businesses making $50-$100 million; or April 1, 2030, for businesses making under $50 million.

Summary

ADMT. By January 1, 2027, businesses must (1) give consumers notice when using ADMT in making Significant Decisions (defined below), which must contain specific language and may be included within the business’s CCPA notice at collection; (2) allow consumers to opt out of such processing, unless an exception applies; and (3) respond to consumers’ requests to access regarding ADMT. 

Cybersecurity Audits. The updated regulations also elucidate requirements on performing annual cybersecurity audits for businesses whose processing of personal information presents a “significant risk” to consumers’ security. Importantly, only businesses that meet the specified thresholds are required to complete a cybersecurity audit. In performing the audit, auditors must operate independently and rely on their own analyses of the relevant security testing and information provided in making their assessment. Businesses required to conduct a cybersecurity audit must annually certify to the CPPA that it has completed its cybersecurity audit.  

Risk Assessments. The new regulations also require businesses to perform privacy risk assessments if their processing of personal information presents a “significant risk” to consumers’ privacy. The risk assessment must (1) involve relevant stakeholders involved in the specific processing; and (2) result in a report maintained by the business. Notably, the CPPA notes the goal of a risk assessment is to restrict or prohibit the “processing of personal information if the risk to the consumer’s privacy outweigh the benefits resulting from the processing[.]” Thus, businesses must carefully weigh whether to proceed in processing activities that present significant risk to consumers’ privacy.

Businesses must also amend their service provider agreements to require their service providers to assist them in completing their cybersecurity audits, risk assessments, and complying with the new ADMT requirements.

What is ADMT

Under the CCPA, ADMT means “any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making.” A decision is “substantially” replacing human involvement if the output is used to make a decision without meaningful human review. Human review must include:

  • Understanding how to interpret the technology’s output;
  • Considering the output alongside other relevant information; and
  • Having authority to change the decision.

ADMT does not include purely technical tools like web hosting, spellcheckers, calculators, or anti-virus software, provided they do not replace human decision making.

When Do the Rules Apply?

The requirements apply when a business uses ADMT to make a Significant Decision concerning a consumer which is defined as a “decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.” Businesses must comply by January 1, 2027, if they are already using ADMT, and immediately for use beginning after that date.

Requirements if a business uses ADMT

1.    Pre-Use Notice
Before collecting personal information for ADMT use or before using existing data for ADMT, businesses must provide a prominent Pre-Use Notice that includes:

  • The specific purpose for which ADMT will be used;
  • The consumer’s right to opt-out of ADMT, and how to exercise it;
  • The consumer’s right to access information about ADMT use;
  • A description of how the ADMT works, what types of personal information affect its outputs, what outputs it generates, and how those outputs are used in the decision;
  • The alternative decision-making process if the consumer opts out (discussed below); and
  • A statement that retaliation for exercising rights is prohibited. 

The Pre-Use Notice can be incorporated into the business’s CCPA notice at collection and can also be consolidated for multiple ADMTs used for a single or multiple purposes.

2.    Right to Opt-Out of ADMT

Businesses must provide consumers the right to opt out of ADMT used for Significant Decisions. Similar to the opt-out requirements for the selling or sharing data, businesses must offer at least two ways for consumers to submit opt-out requests and at least one option must reflect the primary way the business interacts with consumers. The opt-out methods must be easy to use, require minimal steps, and must not hide the opt-out behind generic cookie banners.

There are limited exceptions to the opt-out right. One exception is the alternative decision-making process where the business offers an appeal process that is conducted by a human reviewer with the authority to overturn the decision. Other narrow exceptions apply to certain hiring, admissions, and work allocation decisions, but only when the ADMT is used solely for assessing the consumer’s ability to perform and the ADMT demonstrably works for its purpose and does not unlawfully discriminate.

3.    Right to Access ADMT Information

When responding to consumers’ right to access requests, businesses must provide plain-language explanations including:

  • The specific purpose of ADMT use;
  • Information about the logic of the ADMT, such as the parameters affecting its output;
  • The outcome of the decision and how the output was used; and
  • Plans for any future use of the output in Significant Decisions.

Businesses may withhold trade secrets and information whose disclosure would compromise security, enable fraud, or endanger physical safety.

Among other types of processing of personal information, the use of ADMT for Significant Decisions triggers a mandatory risk assessment requirement, which is discussed below.

Risk Assessments 

Risk assessments must involve relevant stakeholders whose duties include the processing activity that necessitated the risk assessment. Risk assessments must also be completed before initiating the processing, reviewed and updated at least every three years or sooner if material changes occur (within 45 days), and retained for as long as the processing continues or for five years after completing the assessment.

Who Must Conduct a Risk Assessment

Businesses must conduct a risk assessment when their processing of consumers’ personal information presents significant risks to privacy. Covered activities include:

  • Selling or sharing personal information;
  • Processing sensitive personal information (except for limited HR-related uses such as payroll, benefits, and legally required reporting);
  • Using ADMT to make Significant Decisions about consumers;
  • Using automated processing to infer or extrapolate personal traits, such as intelligence, health, economic status, preferences, reliability, or movements; and
  • Processing personal information to train ADMT, facial-recognition, biometric, or other identity-verification technologies.

Risk Assessment Requirements

Businesses that engage in covered activities must prepare a risk assessment report documenting:

  • The specific purpose of processing (not generic terms);
  • The categories of personal and sensitive personal information processed, including the minimum necessary to achieve the purpose;
  • The operational elements of the processing (e.g., method of collecting personal information, retention period, number of consumers, and disclosures to consumers);
  • The benefits from the processing of personal information;
  • The negative impacts to consumers’ privacy associated with the processing;
  • Safeguards the business will implement to mitigate negative impacts;
  • Whether the business will proceed with the processing;
  • The individuals who provided information for the assessment (excluding legal counsel); and
  • The date, names, and positions of those who reviewed and approved the assessment.

Businesses must submit information regarding their completed risk assessments to the CPPA which must include a point of contact, time of the risk assessment, the categories of personal and sensitive personal information covered, and identify the individual submitting the risk assessment who must be a member of the business’s executive management team who is responsible for the risk assessment’s compliance. For assessments conducted in 2026 and 2027, the submission is due by April 1, 2028. For assessments conducted after 2027, the submission is due by April 1 of the following year.

Businesses may utilize risk assessments prepared for another purpose, provided that the risk assessment contains the required information, or is supplemented with the outstanding information necessary for complying with the new regulations.

Cyber Audit Requirements

The Cybersecurity Audit rule is a new requirement for covered businesses to conduct audits by a qualified independent professional and submit yearly certifications to the CPPA.

Audit Applicability and Requirements

The Audit requirement does not apply to all businesses subject to the CCPA, but only those that meet certain thresholds. Those thresholds being either (1) deriving 50% or more of its revenue from selling or sharing consumers’ personal information, or (2) having over $25 million in revenue, and either processing the personal information of over 250,000 California consumers or households, or the sensitive personal information of over 50,000 California consumers or households. Relying on the previous calendar year’s revenue, businesses with over $100 million in gross revenue must complete their first report by April 1, 2028; those with $50-100 million by April 1, 2029; and those with under $50 million by April 1, 2030, and cover the preceding calendar year.

The regulations require that each covered business conduct an independent cybersecurity audit that results in a report. By April 1 of each year, businesses must submit a certification to the CPPA that it has completed its cybersecurity audit which must be signed by a member of the business’s executive management team attesting to responsibility for its content and to the report’s accuracy. Audit reports and related documents must be retained for five years.

Internal or external auditors may conduct the audit, but must follow generally accepted auditing standards, such as those provided by the American Institute of Certified Public Accountants or Public Company Accountability Oversight Board. The auditor must have specific knowledge of cybersecurity and cybersecurity audits. The auditor must also exercise independent judgment. Internal auditors cannot report to the executive management team member who is responsible for the business’s cybersecurity program. In turn, the business must make available to the auditor all requested relevant information and must make a good faith effort to truthfully disclose all relevant facts.

Audit Scope

The cybersecurity audit covers generally the business’s cybersecurity program, protection of personal information, and protection against unauthorized access. The report must include descriptions and assessments of all specific cybersecurity controls used, such as encryption, multi-factor authentication, access controls, hardware/software configurations, vulnerability scans, network monitoring, and cybersecurity training. Further, all cybersecurity audit reports must include the following information: 

  • A description of the business’s information systems, the criteria used for the audit, and the specific evidence examined;
  • A description of the specific cybersecurity controls used by the business, their implementation, and their effectiveness;
  • An identification of any gaps or weaknesses;
  • Documentation of the business’s plan to address gaps and weaknesses;
  • Identification of any corrections or amendments to prior cybersecurity audit reports;
  • Listing of individuals responsible for the business’s cybersecurity program
  • Identification of the auditor’s name, affiliation, and relevant qualifications;
  • A signed statement by the highest-ranked auditor that certifies the review was independent, that the auditors exercised impartial judgment, and that the review was based on specific evidence rather than solely assertions of the business’s management;
  • Copies of any notices to California consumers affected by a data breach; and
  • Copies of any notices to any California agency regarding any data breach.

Importantly, a business may utilize cybersecurity reports prepared for another purpose if they comply with all regulatory requirements. For example, if a business is subject to a National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 audit which complies with all requirements, the business could submit that as its yearly report.

Takeaways

While the new regulations give businesses subject to the CCPA time to implement its requirements, businesses must assess and make preparations to implement their compliance obligations. In the near term, businesses should:

  • Evaluate whether their use of ADMT is subject to the notice and opt-out provisions and, if so, implement and test mechanisms for consumers to exercise their rights. As we covered in our alert the CPPA is actively testing and enforcing the operability of consumer opt-outs.
  • Establish a process to determine, on an ongoing basis, the applicability of the cybersecurity audit and privacy risk assessment requirements to their business.
  • If cybersecurity audit requirements apply, put in place all processes for an independent annual audit, whether internally or externally led, plan to annually certify to the CPPA that their audit is complete, be prepared to provide their audits if required by an enforcement action by the CPPA or any other legal proceeding.
  • To the extent impacted by the updated regulations, amend service provider agreements to require service providers to assist in complying with the additional requirements.
  • Prepare to conduct regular privacy risk assessments if applicable to the business.

Finally, it is important to note that California’s CCPA regulations will continue to be assessed and subject to further modification proposals from the CPPA. Businesses will be well served by staying abreast of enforcement trends and future regulatory developments.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

F. Paul Pittman
F. Paul Pittman
Partner|Washington, DC
Services
Data, Privacy & Cybersecurity, Fintech, Technology, Mergers & Acquisitions, Life Sciences and Healthcare, Privacy Advisory and Compliance
Hope Anderson
Hope Anderson
Partner|Los Angeles
Services
Data, Privacy & Cybersecurity, Technology, Artificial Intelligence (AI), Privacy Advisory and Compliance, AI Regulatory, Content and non-privacy data regulation
Abdul M. Hafiz
Abdul M. Hafiz
Law Clerk|Washington, DC
Services
Data, Privacy & Cybersecurity, Litigation, Life Sciences and Healthcare
Yuhan Wang
Associate|Silicon Valley
Services
Intellectual Property, Technology, Data, Privacy & Cybersecurity, Litigation, Mergers & Acquisitions
Nathan Swire
Nathan Swire
Associate|New York
Services
Litigation, Life Sciences and Healthcare

Service areas

Top