Jul 292025

California Privacy Protection Agency Advances Substantial Rulemaking – Cyber Audits, Risk Assessments, New Automated Decisionmaking Technologies Rights, and More

Sheri Porath Rockwell, Colleen Theresa Brown, Thomas D. Cunningham, Sasha Hondagneu-Messner and Stephanie Y. Lim
, , , , , ,

The California Privacy Protection Agency (Agency) on Thursday, July 24, 2025, approved a comprehensive set of new California Consumer Privacy Act (CCPA) regulations that the Agency has been developing for over four years. Before taking effect, the proposed regulations must still be approved by California’s Office of Administrative Law (OAL). It is possible some of these provisions may change with the OAL’s review, which must be completed within 30 business days after the Agency submits to the OAL its final rulemaking package. However, many expect that most of the proposed regulations will pass OAL review. If approved, several of the proposed regulations would be effective as of January 1, 2026. Key requirements under the proposed regulations include:

  • Annual Independent Cyber Audits: Certain businesses would be required to undergo annual independent cybersecurity audits, with a phased implementation from 2027 to 2029 as discussed in greater detail below. These audits would include executive reporting and sworn certification requirements.
  • Detailed Risk Assessment Requirements: Businesses would need to conduct risk assessments for activities such as the sale and sharing of personal information (as defined by the CCPA), processing of sensitive data, profiling in for-profit educational and employment contexts, and the training of automated decisionmaking technologies (ADMT) used to make “significant decisions” (including those related to finance, lending, housing, for-profit educational enrollment, employment, and healthcare services). These risk assessments would also require senior management reporting.
  • New Rights for Consumers Related to ADMT: Beginning in 2027, there would be new notice, access, and opt-out rights for individuals regarding the use of ADMT in making significant decisions.

Additionally, the proposed regulations would update some existing CCPA requirements. Notable changes could include:

  • Consumer Notification: Businesses would be required to notify consumers when Global Privacy Control (GPC) and other opt-outs are in effect.
  • Dark Pattern Prohibitions: The proposed regulations provide further guidance and warnings with respect to the use of dark patterns in the design of opt-out requests and consent mechanisms, such as cookie banners, reflecting recent CCPA enforcement trends.

Several of the proposed regulations would be phased in over time, while other provisions could take effect as early as January 1, 2026, depending upon the timing and scope of OAL approval. All businesses subject to the CCPA should carefully review the proposed regulations to determine their applicability and begin planning for implementation. This may include budgeting for increased compliance costs, such as ongoing cybersecurity audits and risk assessments.

While a comprehensive review of the many substantive provisions of these proposed regulations is beyond the scope of this summary, we highlight below some of the more notable features:

Mandatory Annual Cyber Audits for Certain Businesses Beginning in 2027

Under the proposed regulations, beginning in 2027, CCPA businesses that meet the following thresholds would be required to undertake annual cybersecurity audits: businesses that (a) annually process the personal information of more than 250,000 California residents; (b) annually process the sensitive personal information of more than 50,000 California residents; and (c) derive more than 50% of their annual revenue from the sale or CCPA-defined sharing of personal information. Once a business falls within any of these thresholds, under the proposed regulations, it must prepare for near-continuous, year-long audit activities. Each audit cycle would culminate in an annual certification, due by April 1, attesting to the accuracy and independence of the audit. This certification would need to be made by a member of the business’s executive management team responsible for audit compliance.

Cyber Audit Scope and Process. The proposed regulations would require cybersecurity audits to comprehensively assess the establishment, maintenance, and implementation of a business’s cybersecurity program over a 12-month period, beginning January 1 of each year. Audits would need to be conducted by independent assessors using recognized audit frameworks. Auditors would be tasked with evaluating 18 components of the business’s cybersecurity program, as applicable, including: inventories of personal information and information systems; multifactor authentication (MFA); access controls; encryption practices; oversight of vendors, service providers, contractors, and third parties; secure code development and testing; and use of internal or external vulnerability scans and penetration testing. Following the assessment, auditors would produce a gap analysis, a remediation plan with target dates, updates on the status of prior years’ remediation plans, and identify individuals within the business responsible for cybersecurity.

Phased Implementation Based on Revenue. The proposed regulations would phase in the audit requirement over three years, based on a business’s annual gross revenue:

  • Businesses with annual revenue over $100 million would need to begin audits by January 1, 2027;
  • Businesses with annual revenue between $50 million and $100 million would need to begin audits by January 1, 2028; and
  • Businesses with annual revenue under $50 million would need to begin audits by January 1, 2029.

Implications for Businesses. Assuming these regulations are approved by the OAL, compliance costs for businesses of all sizes can be expected to rise. Additionally, the creation of detailed audit records and executive attestations could introduce new areas of legal risk, such as by supporting increased regulatory scrutiny or litigation risks, particularly for businesses that have not previously been subject to independent audit obligations. Careful planning and resource allocation will be essential should these regulations be approved by the OAL.

Detailed Risk Assessments With Annual Reporting Requirements

The proposed regulations would introduce comprehensive requirements for businesses to conduct risk assessments, with California incorporating standards that are not typically seen in other state risk assessment requirements. While, like other state privacy laws, risk assessments would be required for the sale and sharing of personal information (such as the use of advertising trackers and disclosures for cross-context behavioral advertising) and for the processing of sensitive data, proposed regulations would expand the scope significantly. Under the proposed regulations, businesses would also be required to conduct risk assessments for:

  • The use of ADMT to make significant decisions about individuals;
  • Profiling in employment and educational contexts;
  • Profiling based on geolocations designated as “sensitive”; and
  • Processing personal information to train ADMT used for significant decisions or to train technologies for identity verification or profiling of California residents, including the advertising or marketing of plans to do so.

Unique California Standards and Focus on “Negative Impacts.” California’s proposed ADMT regulations detail the factors businesses would need to consider in risk assessments, which could set a standard that is unique among state privacy laws. Notably, instead of focusing solely on the “risks” to consumers, as is common in other states, the proposed regulations would require businesses to evaluate the potential “negative impacts” to consumer privacy. The proposed regulations include several examples of potential negative impacts that a business may consider, including:

  • Data security risks
  • Discrimination based on protected classes
  • Economic harm
  • Physical harm
  • Reputational harm
  • Psychological harm
  • Impairing consumers’ control over their personal information, such as by not providing consumers with sufficient information to make an informed decision or by interfering with consumers’ ability to make choices consistent with their reasonable expectations
  • Compelling consumers to allow the processing of personal information, such as by conditioning consumers’ acquisition or use of an online service upon their disclosure of personal information that is unnecessary for the expected functionality of the service, or purporting to obtain consent through dark patterns

The latter examples reflect themes seen in recent CCPA enforcement actions and suggest areas where businesses may want to consider focusing their current compliance efforts.

Timing and Reporting Requirements. Risk assessments would be required to be conducted before engaging in any in-scope processing activities and reviewed and updated at least every three years, or within 45 days of a material change in the processing activity. For new processing activities, assessments would be required as soon as the regulations take effect (potentially January 1, 2026). For ongoing activities as of the effective date of the proposed regulations, businesses would be required to complete risk assessments by December 31, 2027.

Importantly, this latest version of the proposed regulations removed the requirement to submit all risk assessments to the Agency. Instead, the proposed regulations would require a senior executive to submit an annual certified report to the Agency, detailing the number and types of risk assessments conducted and the categories of personal information involved. However, the Agency and the California Attorney General would retain the authority to require production of any risk assessment with 30-days’ advance notice.

Implications for Businesses. The proposed risk assessment regulations would represent a significant expansion of risk assessment obligations currently in effect under other state privacy laws, both in terms of scope and the factors to be considered. If the proposed CCPA regulations are approved by OAL, businesses will need to further develop robust processes for identifying in-scope activities, conducting and documenting risk assessments, and ensuring timely reporting and updates. The focus on “negative impacts” and the detailed reporting obligations underscore the importance of integrating these assessments into broader CCPA compliance programs and preparing for potential regulatory scrutiny.

New Rights and Obligations for “Significant Decisions” Made With ADMT

The proposed regulations, while scaled back from expansive earlier proposals, would nonetheless establish important new rights for consumers and corresponding obligations for businesses that utilize ADMT to make “significant decisions,” a defined term in the proposed regulations that includes decisions related to financial or lending matters, housing, for-profit educational enrollment, employment, and healthcare services—provided that the personal information involved is not otherwise exempt from the CCPA (for example, information subject to the Gramm-Leach-Bliley Act or HIPAA).

A key clarification in the proposed regulations is the definition of ADMT. A technology would only qualify as an ADMT if the technology replaces or “substantially replaces” human decisionmaking. If a human reviews the output of the technology and retains the authority to make or alter the decision, the technology is not an ADMT as defined by the proposed regulations. This clarification was included in response to concerns raised by businesses and industry groups during the rulemaking process. Importantly, the proposed regulations clarify that “significant decisions” for the purposes of ADMT rights do not include advertising directed at consumers.

Under the proposed regulations, businesses that utilize ADMT to make significant decisions would need to address a host of new consumer rights by April 1, 2027. These include issuing a Pre-use Notice at or before the point at which a business collects personal information that will be processed using ADMT. Proposed regulations contemplate that the Pre-use Notice would describe specific purposes for which a business wants to use ADMT, information about how the ADMT works to make decisions, and apprise the consumer of their rights regarding the ADMT, including rights to access and opt out of the use of ADMT. The access right in the proposed regulations would require businesses to provide information about how a consumer’s personal information was processed by ADMT and include a description of the logic used by the ADMT, enabling the consumer to understand how their data was analyzed and how the output was generated. The proposed ADMT access right would also require businesses to explain how the ADMT arrived at the decision, including the role of any human involvement in the process. In addition, the proposed regulations include a right for consumers to opt out of the use of ADMT for significant decisions affecting them.

This version of the proposed regulations, particularly the narrowed definition of ADMT, has drawn criticism from some labor groups. Their primary concern is that exempting decisions where humans can override automated outputs may leave workers vulnerable to adverse impacts from automated systems. Agency board discussions and earlier drafts of the regulations indicate that some staff members share these concerns. As a result, it is expected that the use of ADMT in employment and workplace contexts will be subject to heightened regulatory scrutiny going forward.

Implications for Businesses. Businesses that rely on ADMT for significant decisions may want to consider preparations to comply with proposed regulations. Preparations could include cataloging uses of in-scope ADMT, developing clear and transparent Pre-use Notices, establishing processes to provide meaningful access to information about ADMT logic and decisionmaking, and designing mechanisms for consumers to exercise their opt-out rights. Special attention should be paid to workplace applications of ADMT, as these are likely to be a focus of enforcement and regulatory oversight.

Strengthened Opt-Out Notification Requirements and Dark Pattern Reminders

The proposed regulations also reinforce California regulators’ ongoing focus on ensuring that consumers can easily understand and exercise their CCPA rights, with a particular emphasis on opt-out rights.

Under the proposed regulations, businesses would need to display on their websites whether they have processed Global Privacy Control (GPC) signals as valid opt-out requests. Additionally, when processing sale or share opt-out requests made through a website or app, businesses would need to provide a mechanism for consumers to confirm their opt-out request has been honored. Consent management platforms can be expected to play a key role in facilitating compliance with these proposed requirements; indeed, some platforms already offer such functionality.

Implementing these measures contemplated by the proposed regulations have the potential to expose potential compliance gaps in how businesses process opt-out signals. Common issues include inconsistent transmission of opt-out signals across different webpages and challenges in recognizing authenticated account holders across multiple devices. These shortcomings can create both regulatory and litigation risks, as plaintiffs’ lawyers have increasingly focused on purportedly ineffective opt-out mechanisms to allege privacy violations. These risks may be further heightened if the California Opt Me Out Act (AB 566)—which would require all browsers to recognize GPC signals—is enacted. This would likely increase the volume of GPC signals that businesses must process.

The proposed regulations would also strengthen requirements around the design of opt-out requests and consent mechanisms with emphasis on providing symmetrical and clearly worded choices. This reflects the recent enforcement priorities of both the Agency and the California Attorney General. The proposed regulations further clarify that simply navigating away from a page or dismissing a pop-up banner does not, by itself, constitute valid consent. This language mirrors similar provisions in Colorado’s privacy regulations.

Implications for Businesses. In light of these proposed changes to CCPA regulations, businesses may wish to consider proactively testing their systems for processing GPC signals and other opt-out requests―potentially through third-party audits―in advance of the anticipated January 1 effective date of several of the proposed regulations and, if enacted, the California Opt Me Out Act. Businesses should also consider reviewing and, if necessary, updating the design and language of their opt-out features and cookie banners, benchmarking them against the numerous examples provided in section 7004 of the proposed CCPA regulations.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Sheri Porath Rockwell

Century City

sheri.rockwell@sidley.com

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Thomas D. Cunningham

Chicago

tcunningham@sidley.com

Sasha Hondagneu-Messner

New York

shondagneumessner@sidley.com

Stephanie Y. Lim

New York

stephanie.lim@sidley.com

You might also like
Artificial Intelligence in Pharmacovigilance: Eight Action Items for Life Sciences Companies

The Council for International Organizations of Medical Sciences Working Group XIV (CIOMS) Draft Report offers comprehensive principles and best practices, translating global artificial intelligence (AI) requirements — such as those in the EU Artificial Intelligence Act (EU AI Act) — into practical guidance for pharmacovigilance (PV). In the U.S., where no overarching AI legislation exists, the report can guide lawmakers, regulators, and other stakeholders as they develop approaches to using AI in PV. The consultation period for the draft report is currently open, and interested parties are encouraged to take advantage of this opportunity by providing comments on the draft report by June 6, 2025.

Generative AI Meets Copyright Scrutiny: Highlights from the Copyright Office’s Part III Report

On May 9, 2025, the U.S. Copyright Office released a “pre-publication” version of Part III of its highly anticipated Report on Copyright and Artificial Intelligence (AI) (Report). The Report provides a technical overview of how generative AI models are developed, trained, and deployed and how U.S. copyright law, particularly the fair use doctrine, should apply in the context of training generative AI models. The prepublication report states that it was released “in response to congressional inquiries and expressions of interest from stakeholders” and that “[a] final version will be published in the near future, without any substantive changes expected in the analysis or conclusions.”

Medicare Reimbursement Pathway for AI-Enabled Medical Devices Considered in Senate’s Health Tech Investment Act

On April 9, 2025, U.S. Sens. Mike Rounds, Republican of South Dakota, and Martin Heinrich, Democrat of New Mexico, introduced a bill titled the Health Tech Investment Act (S 1399). The proposed bill would amend Title XVIII of the Social Security Act to create a Medicare payment system for algorithm-based healthcare services (AHBS), defined in the proposed legislation as services delivered through FDA-cleared or -approved devices that use artificial intelligence (AI), machine learning, or similar software to yield clinical outcomes for use by healthcare professionals to diagnose and treat diseases.