Introduction
The California Privacy Protection Agency (CPPA) is progressing with revised draft regulations for the California Consumer Privacy Act (CCPA) [2], focusing on automated decision-making technologies (ADMT) [1] [2] [3] [6] [7], cybersecurity audits [1] [2] [3] [5] [6], and risk assessments [1] [2] [3] [5] [6]. These updates aim to refine definitions, streamline processes [3] [6], and adjust compliance requirements, impacting businesses and consumer rights.
Description
The California Privacy Protection Agency (CPPA) is advancing revised draft regulations concerning the California Consumer Privacy Act (CCPA) [2], with a focus on updates related to automated decision-making technologies (ADMT), cybersecurity audits [1] [2] [3] [5] [6], and risk assessments [1] [2] [3] [5] [6]. The latest draft [1] [5] [6] [7], released on May 1, 2025, has undergone significant modifications [1], including a refined definition of ADMT that encompasses technology processing personal information and significantly replacing human decision-making [5]. This includes “significant decisions” affecting areas such as financial services [5], housing [2] [3] [5] [6], education [2] [3] [5] [6] [7], employment [3] [5] [6], or healthcare [3] [5] [6]. However, concerns have been raised regarding the narrowed scope of ADMT systems [5], which may allow employers to self-certify their systems as not significantly replacing human decisions [1], potentially evading regulatory coverage [1].
The revisions have also limited consumers’ rights to opt out of ADMT, removing opt-out rights for workplace profiling [3], education profiling [3] [6], public observation profiling [3] [6], training of ADMT systems [3] [6], and certain advertising practices [3] [6]. Businesses utilizing ADMT can now combine “pre-use” notices with existing CCPA notices at the point of data collection [3] [6], eliminating the need for an additional notice [3] [6]. Pre-use notices are still mandated when significant decisions are made about a customer [6], although other triggers for these notices, such as profiling or training ADMT models [3], have been removed [1] [3] [5] [6]. The requirement for explanations regarding the use of generated output for behavioral advertising has also been eliminated [5].
The responsibility for certifying the completion of cybersecurity audits has shifted from board members to a member of the business’s executive management team [6]. The CPPA has streamlined reporting requirements to the agency [6], easing the obligations associated with cybersecurity audits. A phased implementation of cybersecurity audit requirements is proposed [5], with compliance deadlines based on annual gross revenue [5]. Larger businesses would need to comply by April 1, 2028 [5], while smaller businesses would follow in subsequent years [5]. The CPPA is considering adjusting audit deadlines based on business revenue [3] [6], with larger businesses facing earlier deadlines [3] [6].
The draft regulations introduce a “risk assessment report” to clarify documentation requirements for risk assessments submitted to the CPPA or Attorney General [5]. The thresholds for risk assessments have been revised [5], narrowing the triggers to focus on processing sensitive location data. Existing risk assessments can be utilized to meet these obligations if they contain the necessary information [6], and the revised regulations have removed certain burdensome requirements [3], such as detailing mitigation measures for personal information processed by ADMT systems [3]. The draft includes hypothetical examples to aid businesses in understanding compliance requirements [3].
An updated preliminary economic analysis estimates the first-year cost of the draft regulations at approximately $1.2 billion [5], reflecting a significant cost savings compared to earlier drafts [5], largely due to an 83% reduction in costs associated with ADMT rules [7]. The CPPA Board has emphasized the need for stakeholders to have adequate time to review these revisions, expressing concerns that the draft rules may have been overly simplified in response to business feedback [1], potentially compromising consumer protection [1]. A second round of public comment has been initiated [3], closing on June 2, 2025 [3], to gather input from industry stakeholders and civil society groups [3], with a 15-day comment period being considered.
Organizations are encouraged to provide feedback on the revised draft regulations and should evaluate their use of ADMT systems to ensure compliance with updated pre-use notice requirements and technical capabilities for opt-outs [6]. They must also verify that cybersecurity audit processes meet the new certification and reporting standards and consider adjusting internal deadlines based on compliance timelines [6]. Aligning privacy review processes with the simplified risk assessment requirements is advisable to avoid unnecessary reopening of prior assessments [3] [6].
The CPPA has taken a “support if amended” stance on Senate Bill 468, which mandates that deployers of high-risk AI systems handling personal information adhere to comprehensive information security standards [1]. This legislation requires the establishment and maintenance of a robust information security program with specific safeguards [4]. Enforcement of this bill falls under the Unfair Competition Law [4], and the CPPA is empowered to adopt regulations to implement its provisions [4]. The CPPA Board has indicated a desire to finalize these regulations promptly [2], with a final rulemaking package expected to be submitted to the Office of Administrative Law by November 2025 [4], following a public comment period that closes on June 2, and a planned reconvening in August or September [4]. Future rulemaking may build upon the current draft based on public feedback [2].
Conclusion
The revised draft regulations by the CPPA represent a significant shift in how businesses must approach automated decision-making technologies, cybersecurity audits [1] [2] [3] [5] [6], and risk assessments [1] [2] [3] [5] [6]. By refining definitions and streamlining processes, the CPPA aims to balance business interests with consumer protection. However, the potential narrowing of regulatory scope and the simplification of rules may impact consumer rights. Stakeholders are encouraged to engage in the public comment process to ensure that the final regulations adequately address both business and consumer needs.
References
[1] https://privacy-daily.com/news/2025/05/02/Calif-Privacy-Agency-Provides-More-Time-to-Digest-Revised-ADMT-Draft-2505020034
[2] https://natlawreview.com/article/revised-draft-california-privacy-regulations-lessen-impact-business
[3] https://www.lexology.com/library/detail.aspx?g=716d04f3-4967-4f48-872f-e2bed3cb3033
[4] https://www.secureworld.io/industry-news/california-privacy-agency-ccpa-cipa
[5] https://www.jdsupra.com/legalnews/cppa-board-opens-draft-regulations-for-3349550/
[6] https://www.jdsupra.com/legalnews/ai-deregulatory-trends-continue-cppa-8203505/
[7] https://privacy-daily.com/article/2025/05/01/calif-privacy-agency-chair-fears-staff-pared-admt-draft-to-the-bone-2505010048?BC=bc_6809327acc811
