The California Privacy Protection Agency (the “CPPA”) Board met on July 24, 2025, to decide whether to adopt its comprehensive rulemaking package covering cybersecurity audits, automated decision-making technology, and other adjustments to its existing regulations (collectively, the “Draft Regulations”). We have written about these topics in December 2024, February 2025, and May 2025 respectively. Ultimately, after its initial 45-day comment period and additional revisions, the Board decided to finalize the text of the rulemaking package (the “Regulations”).
Now that the Regulations have been approved, it is likely that the CPPA’s enforcement priorities will shift away from just online tracking technology to cybersecurity governance obligations and automated decision-making-related consumer rights. This blog post highlights some of the new obligations in the Regulations, specifically the final cybersecurity audit requirements and changes to the scope of the automated decision-making requirements.
Next Steps
The next step in the rulemaking process will be for the CPPA to send the final text of the rules to the California Office of Administrative Law. If the CPPA submits the final text by August 31, 2025, the regulations would likely take effect on October 1, 2025. Otherwise, if the final text is submitted after August 31, 2025, it will likely take effect on January 1, 2026.
While certain of the Regulations will take effect immediately, such as the adjustments to the existing regulations, the automated decision-making technology (“ADMT”) requirements will not take effect until 2027. Depending on the organization, the cybersecurity audit requirements will have a phased implementation period with requirements for certain businesses taking effect as soon as 2028, for a cybersecurity audit covering 2027, but for other businesses not taking effect until 2030.
Businesses should consider whether they use ADMT such that they would be in scope of the Regulations, and whether they can rely on the finalized exemptions to the opt-out requirements. They should also consider whether the cybersecurity audit requirements apply to them, determine whether certain standards and controls in place meet the audit requirements, and formulate a plan to build the audit requirements into their cybersecurity programs. Businesses that are already conducting cybersecurity audits should consider how to leverage existing frameworks to meet this new requirement.
Final Cybersecurity Audit Requirements
The Regulations provide that every business whose processing of consumers’ personal information presents significant risk to consumers’ security must complete a cybersecurity audit. This remains the same as in the initial Draft Regulations: the business meets this threshold if it “(A) [p]rocessed the personal information of 250,000 or more consumers or households in the preceding calendar year; or (B) [p]rocessed the sensitive personal information of 50,000 or more consumers in the preceding calendar year.”
One departure from the Draft Regulations is that there is now less board involvement in the cybersecurity audit process. The Regulations now only require that auditors report to a member of the business’s executive management team rather than the business’s board of directors.
The Regulations also add additional detail to the cybersecurity audit report requirements as compared to the Draft Regulations. Under the Regulations, the report must describe the business’s information system; and identify the policies, procedures, and practices that the cybersecurity audit assessed; the criteria used for the cybersecurity audit; and the specific evidence examined to make decisions and assessments, such as documents reviewed, sampling and testing performed, and interviews conducted. The cybersecurity audit report must also explain why assessing those policies, procedures, and practices; using those criteria; and examining that specific evidence justify the auditor’s findings.
The Regulations offer more flexibility to the auditor than the Draft Regulations. Under the Regulations, the auditor has the ability to determine which components of a cybersecurity program are applicable to the business. Where applicable, the audit report must assess the following elements:
- Authentication;
- Encryption of personal information, at rest and in transit;
- Account management and access controls;
- Inventory and management of personal information and the business’s information system;
- Secure configuration of hardware and software;
- Internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting (e.g., bug bounty and ethical hacking programs);
- Audit-log management, including the centralized storage, retention, and monitoring of logs;
- Network monitoring and defenses;
- Antivirus and antimalware protections;
- Segmentation of an information system (e.g., via properly configured firewalls, routers, switches);
- Limitation and control of ports, services, and protocols;
- Cybersecurity awareness, including how the business maintains current knowledge of changing cybersecurity threats and countermeasures;
- Cybersecurity education, and training, including: training for each employee, independent contractor, and any other personnel to whom the business provides access to its information system (e.g., when their employment or contract begins, annually thereafter, and after a personal information security breach);
- Secure development and coding best practices, including code-reviews and testing;
- Oversight of service providers, contractors, and third parties;
- Retention schedules and proper disposal of personal information no longer required to be retained, by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means;
- How the business manages its responses to security incidents; and
- Business-continuity and disaster-recovery plans, including data-recovery capabilities and backups.
As discussed in our previous blog post, the report must also:
- Identify gaps or weaknesses in the cybersecurity program and document the plans to address them, including the timeframe for addressing them;
- Address the status of any identified gaps and weaknesses; and
- Identify any corrections or amendments to any prior audits.
A business that is required to complete a cybersecurity audit must provide a written certification of compliance to the CPPA by April 1st of the following year to which the annual cybersecurity audit pertains. The written certification must be electronically signed by a member of the business’s executive management team who is directly responsible for the business’s cybersecurity-audit compliance, has sufficient knowledge of the business’s cybersecurity audit to provide accurate information, and has the authority to submit the business’s certification.
Final Automated Decision-Making Technology Definitions
The Regulations add significant obligations for businesses that use ADMT including the right to opt out of ADMT in some cases, pre-collection disclosures, a right to access additional information about a business’s use of ADMT, and risk assessments.
The CPPA significantly narrowed the scope of the Regulations since the Draft Regulations and the Regulations cover ADMT, rather than artificial intelligence more broadly. Additionally, the CPPA changed the scope of what it considers to be ADMT. Notably, the CPPA narrowed the scope of ADMT such that the technology must substantially replace human decision-making rather than just facilitate human decision making. Under the Regulations, to replace human decision-making means a decision without human review, where a human review means knowing how to interpret and use the technology’s output to make the decision; reviewing and analyzing the output of the technology, and any other information that is relevant to make or change the decision; and having the authority to make or change the decision based on their analysis. In other words, the Regulations require actual human involvement in the decision being made to avoid being considered ADMT.
While businesses within the scope of the ADMT requirements still must comply with onerous disclosure and consumer rights obligations, the narrowed scope of ADMT will place many uses of AI that fall short of replacing human decision-making outside the scope of the Regulations.
Further, the Regulations modified but retained certain exemptions to the opt-out requirements found in the Draft Regulations, namely where (a) the business provides the consumer with a method to appeal the decision to a human reviewer; (b) for admission, acceptance, or hiring decisions with certain safeguards; and (c) for allocation and assignment of work and compensation decisions. These use cases are still subject to the Regulation’s notice and access requirements. The Regulations removed the security, fraud prevention, and safety exemption found in the Draft Regulations.
The authors would like to thank Debevoise Summer Law Clerk Julie Ablimit for her work on this Debevoise Data Blog.
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E 4o, and content was partially generated by o3.
