On September 23, 2025, the final regulations proposed by the California Privacy Protection Agency (CPPA) were approved. These regulations address automated decisionmaking technology (ADMT), privacy risk assessments, cybersecurity audits, and related matters.
The main elements of the final regulations are the following three items.
(1) Automated Decisionmaking Technology (ADMT)
ADMT refers to technology that processes personal information and uses computation to replace or substantially replace human decision-making.
Businesses are required to implement the following by January 1, 2027:
- When using ADMT for important decisions, businesses must provide consumers with a pre-use notice that includes specified information, such as opt-out rights and access rights.
- With certain exceptions, businesses must provide consumers with a method to opt out of the use of ADMT.
- Businesses must respond to consumer access requests regarding ADMT.
(2) Cybersecurity Audits
Covered businesses are required to undergo a cybersecurity audit conducted by an independent professional and submit the audit report to the CPPA annually.
Covered businesses are defined as:
- Businesses for which more than 50% of the prior year’s annual revenue was derived from selling or sharing personal information; or
- Businesses with prior-year annual gross revenue exceeding USD 25 million and that processed more than 250,000 personal information records, or more than 50,000 sensitive personal information records.
(3) Risk Assessments
Businesses are required to conduct a risk assessment when personal information processing involves a “significant privacy risk.”