Insights
SHARE

California: CPPA Agency Finalizes New CCPA Regulations on ADMT, Cybersecurity, and Privacy Risk Assessments

On September 23, 2025, the California Privacy Protection Agency (CPPA) finalized a landmark set of regulations under the California Consumer Privacy Act (CCPA), approved by the Office of Administrative Law.

The new regulations introduce significant obligations for covered businesses using automated decision-making technologies (ADMT), require regular cybersecurity audits, and mandate technical privacy risk assessments. While the CPPA narrowed the scope of earlier proposals to the updated regulations – limiting ADMT provisions to technologies that “substantially replace” human decision-making – the final rules represent an expansion of compliance duties.

The regulations are set to take effect January 1, 2026, with the compliance deadlines phased in based on business type and size.

Digital Health Blog – Hooper Lundy & Bookman

Professional

Andrea Frey
Partner
San Francisco
San Diego
Stephen K. Phillips
Partner
San Francisco
Eric M. Fish
Partner
Washington, D.C.
Monica Massaro
Director, Government Relations & Public Policy
Washington, D.C.
Sunaya Padmanabhan
Associate
San Francisco

© 2025 Hooper Lundy & Bookman PC

Privacy Preference Center