California: CPPA Agency Finalizes New CCPA Regulations on ADMT, Cybersecurity, and Privacy Risk Assessments

On September 23, 2025, the California Privacy Protection Agency (CPPA) finalized a landmark set of regulations under the California Consumer Privacy Act (CCPA), approved by the Office of Administrative Law.

The new regulations introduce significant obligations for covered businesses using automated decision-making technologies (ADMT), require regular cybersecurity audits, and mandate technical privacy risk assessments. While the CPPA narrowed the scope of earlier proposals to the updated regulations – limiting ADMT provisions to technologies that “substantially replace” human decision-making – the final rules represent an expansion of compliance duties.

The regulations are set to take effect January 1, 2026, with the compliance deadlines phased in based on business type and size.