CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations
On July 24, 2025, the California Privacy Protection Agency (Agency) Board adopted regulations that (1) updated existing CCPA regulations; (2) implemented requirements for certain businesses to conduct risk assessments and complete annual cybersecurity audits; (3) implemented consumers’ rights to access and opt–out of businesses’ use of ADMT; and (4) clarified when insurance companies must comply with the CCPA.
Effective Date: January 1, 2026
Status of the Proposal: The rulemaking is complete. On September 22, 2025, the regulations were approved by the Office of Administrative Law and filed with the Secretary of State.
Final rulemaking documents
- Notice of Approval
- Approved Regulations Text
- Final Statement of Reasons and Update to Informative Digest
- Final Statement of Reasons – Appendix A (45-Day Comment Summaries and Responses)
- Final Statement of Reasons – Appendix B (15-Day Comment Summaries and Responses)
- Final Economic and Fiscal Impact Statement (STD 399)
Rulemaking activities
May 9, 2025 – Public Notice of Modifications to Proposed Regulations
- Notice of Modifications to Text of Proposed Regulations and Additional Materials Relied Upon
- Modified Text of Proposed Regulations
- Comments received during the May 9, 2025 – June 2, 2025 comment period
January 13, 2025 – Public Notice of Extension of Public Comment Period
- Notice of Extension of Public Comment Period and Additional Hearing Date
- February 19, 2025 Public Comment Hearing
November 22, 2024 – January 14, 2025 - Public Notice of Rulemaking and Related Documents
- Notice of Extension of Public Comment Period and Additional Hearing Date
- Notice of Proposed Rulemaking
- Text of Proposed Regulation
- Initial Statement of Reasons
- Initial Statement of Reasons Appendix A: Standardized Regulatory Impact Assessment
- Economic and Fiscal Impact Statement (STD 399)
- Written comments received during the November 22, 2024 – January 14, 2025 public comment period
- January 14, 2025 Public Comment Hearing
Preliminary rulemaking activities
May 2024 Pre-rulemaking Stakeholder Sessions
The California Privacy Protection Agency invited the public to attend three statewide stakeholder sessions to learn about and provide preliminary feedback on the Agency’s proposed regulations on automated decision-making technology, risk assessments, and cybersecurity audits. The informational sessions were held to provide information about the draft regulations and to receive public comment before the Agency moved into the formal rulemaking process.
Each session included a brief presentation by CalPrivacy staff on the draft regulations and an overview of the rulemaking process. The pre-rulemaking stakeholder sessions were held in advance of the formal rulemaking process.
- Fact Sheet: Draft Automated Decision–making Technology Regulations
- Fact Sheet: Draft Automated Decision–making Technology Regulations (Spanish)
- Fact Sheet: Draft Risk Assessment Regulations
- Fact Sheet: Draft Risk Assessment Regulations (Spanish)
- Fact Sheet: Draft Cybersecurity Audit Regulations
- Fact Sheet: Draft Cybersecurity Audit Regulations (Spanish)
- May 2024 Pre–Rulemaking Stakeholder Sessions (Presentation)
- May 13 Pre-rulemaking Stakeholder Session (Los Angeles)
- May 15 Pre-rulemaking Stakeholder Session (Fresno)
- May 22 Pre-rulemaking Stakeholder Session
February 10, 2023 - Invitation for Preliminary Comments on Proposed Rulemaking
The Agency solicited preliminary written comments from the public via an Invitation for Preliminary Comments on Proposed Rulemaking on the following topics: CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Companies from February 10, 2023 through March 27, 2023. That period has closed, and the public comments are available via the links below.
Written comments received during the February 10, 2023 – March 27, 2023 public comment period:
Written comments received after the February 10, 2023 – March 27, 2023 public comment period