Key Takeaways:

• The latest draft regulations from the California Privacy Protection Agency (“CPPA”) introduce significant new requirements for businesses using automated decision-making technology (“ADMT”) and those whose data practices present heightened cybersecurity risks.
• Covered companies will need to provide detailed consumer notices, honor new opt-out and information access rights, and implement robust, independently-audited cybersecurity programs.
• Compliance deadlines are phased, but businesses should act now to assess their ADMT use, update privacy notices, and prepare for annual cybersecurity audits.

Automated Decision-Making Technology

Who Is Covered?

The proposed ADMT regulations will apply to any for-profit entity that is subject to the California Consumer Privacy Act (“CCPA”) and uses ADMT to make a “significant decision” concerning a consumer.

A “significant decision” is one that results in the provision or denial of financial or lending services, housing, educational opportunities, employment, independent contracting opportunities, or healthcare services. “ADMT” is defined narrowly to capture only technology that replaces or substantially replaces human decision-making; purely assistive or “human-in-the-loop” tools fall outside the definition.

Core Requirements

The core requirements for covered entities include (1) providing notice to consumers of ADMT use; (2) allowing consumers to opt out of ADMT in certain situations; and (3) giving consumers the right to access information regarding the business’s use of ADMT.

Notice

Before processing, the business must give consumers a stand-alone or layered notice that explains in plain language:

• the specific purpose for using ADMT;
• how the system works to reach a decision and which categories of personal information affect the outcome; and
• how the decision would be made if the consumer opts out.

Opt-Out Rights

A conspicuous link must allow consumers to direct the business not to use ADMT with respect to them. However, some limited exceptions exist. Businesses are not required to provide consumers with the ability to opt-out of ADMT if, subject to privacy and non-discrimination safeguards, any of the following are true:

• the business provides consumers the opportunity to appeal ADMT’s decisions to a human reviewer who can overturn the decisions;
• the business only uses ADMT to assess a consumer’s ability to perform at work or in an educational program for purposes of hiring and admission decisions; or
• the business only uses ADMT for the allocation or assignment of work and compensation.

Access Rights

Upon request, the business must provide consumers with meaningful information about the logic involved in its ADMT, the consumer-specific output, and how that output was or will be used to reach a decision.

Covered businesses must handle ADMT opt-out and information requests within the standard CCPA timeframe of 45 days (with a potential 45-day extension), reasonably verify the consumer’s identity, and maintain records of requests and responses for at least 24 months.

Enforcement and Penalties

Any violation constitutes a CCPA violation, subject to administrative enforcement by the CPPA or civil enforcement by the California Attorney General. Monetary penalties can reach $2,500 per violation (or $7,500 per intentional violation or those involving minors), with each affected consumer and each day of non-compliance treated as a separate violation.

The CPPA may issue subpoenas, conduct audits, and order injunctive relief; failure to honor an opt-out or to provide required disclosures can trigger these remedies.

Cybersecurity Audits

Who Is Covered?

A business that is subject to the CCPA must complete an annual cybersecurity audit if its processing “presents significant risk to consumers’ security.”  That standard is met when, during the prior calendar year, the business:

• Earned at least 50% of its annual revenue from selling or sharing personal information; or
• Had an annual gross revenue above $26.625 million and processed either
  • personal information of at least 250,000 consumers or households, or
  • sensitive personal information of at least 50,000 consumers.

Audit Scope and Audit Report Requirements

The audit must be performed by an internal or external professional who is free from managerial influence, reports to a senior executive who is not responsible for the cybersecurity program, and follows standards accepted in the auditing profession.

The auditor must evaluate how the company’s cybersecurity program protects personal information from unauthorized access, destruction, use, modification, or disclosure.

The regulation lists more than two dozen specific controls that must be assessed as applicable to the business, including multifactor authentication, strong password practices, encryption at rest and in transit, least-privilege access, patch and vulnerability management, logging and monitoring, employee training, and incident-response planning.

A written report must:

• describe the information system and the policies, procedures, and evidence reviewed;
• identify applicable security components, explain their effectiveness, and detail any gaps;
• include the company’s remediation plan and timeline;
• be delivered to an executive with direct cybersecurity responsibility; and
• be retained (along with workpapers) for at least five years.

By April 1 following any audit year, a member of executive management must certify to the CPPA that the company completed the audit.

Frequency of Audits

A business must complete its first cybersecurity audit report according to the following timeline:

• no later than April 1, 2028, if the business's annual gross revenue for 2026 was more than $100 million, in which case the audit must cover the period from January 1, 2027 through January 1, 2028;
• no later than April 1, 2029, if its revenue for 2027 was between $50 million and $100 million, in which case the audit must cover the period from January 1, 2028 through January 1, 2029; and
• no later than April 1, 2030, if its revenue for 2028 was less than $50 million, in which case the audit must cover the period from January 1, 2029 through January 1, 2030.

Enforcement and Penalties

Audit reports need not be filed proactively, but the CPPA or California Attorney General may compel production within 30 days. Failure to produce, or evidence of non-compliance, is a CCPA violation.

Monetary penalties mirror those under the CCPA—up to $2,500 per violation, or $7,500 for intentional violations—and can accrue daily. The CPPA may also impose injunctive relief, require corrective action, or refer egregious cases for civil prosecution.

Expected Effective Date

The CPPA intends to submit the package to the Office of Administrative Law and finalize the rules by November 2025.   The substantive obligations, however, phase in over time:

• ADMT requirements apply no later than January 1, 2027.
• Initial cybersecurity audit reports are due April 1, 2028, 2029, or 2030 depending on the business’s revenue tier, with annual certifications each April 1 thereafter.

Companies that fall within scope of the ADMT or cybersecurity audit rule should begin preparing to meet their obligations in advance of the rules’ deadlines. If you have questions about your compliance with these new rules or need help preparing for a cybersecurity audit, please contact one of the specialists in our Data Privacy and Security or Artificial Intelligence practice areas.

^{* Special thanks to Summer Associate Will Cook for his contributions to this article.}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}