Responding to California's New CCPA Regulations: What Businesses Need to Know About Risk Assessments, Automated Decision-Making and Cybersecurity Audits

In a major step forward in consumer privacy regulation, the California Privacy Protection Agency (CPPA) has finalized a host of new rules under the California Consumer Privacy Act (CCPA). These rules create significant new obligations for businesses that use personal data in ways that present heightened risks to individuals. Specifically, the new regulations address required risk assessments, the use of automated decision-making technology (ADMT), and cybersecurity audits. These changes, which take effect beginning in 2026, will require a proactive governance approach from affected businesses.

‍

Expanding CCPA: From Consumer Rights to Risk Governance

The CCPA has traditionally focused on consumer-facing obligations: providing disclosures, honoring data rights requests, and avoiding discriminatory treatment of consumers. The new CPPA regulations move beyond these principles to require internal governance mechanisms and active documentation. The agency’s aim is to reduce harm by requiring companies to evaluate the risk of their processing activities and make deliberate, documented decisions about whether, and how, they should continue.

These obligations apply primarily to businesses engaged in activities that carry a higher potential for adverse impacts—such as profiling individuals, using AI tools to automate decisions about access to jobs, credit, or housing, and processing sensitive personal information.

‍

What Triggers a Risk Assessment?

Businesses subject to the CCPA must now conduct a formal, written risk assessment before engaging in certain types of processing activities. These include:

• Selling or sharing personal information with third parties.

• Processing sensitive personal information (which includes, among other categories of data, health data, biometric identifiers, geolocation, or racial/ethnic data), provided that there is an exception in certain limited human resource processes including benefits, legally required reporting, and payroll processing.

• Using ADMT to make or influence decisions about individuals’ employment, education applications, access to financial services or lending, compensation, access to housing, or access to healthcare.

• Profiling based on a consumer’s presence in “sensitive locations”, which include educational facilities, places of worship, or healthcare facilities, among other locations.

• Using personal information to train ADMT for significant decisions or to train biometric or facial recognition technology. 

• Profiling consumers via regular or continuous monitoring (including via wireless internet or Bluetooth tracking, video or audio recording, biometric identification, and geofencing, among other monitoring systems).

‍

Risk assessments must be completed prior to engaging in new activities falling into the categories above.  With respect to existing practices which began prior to 2026, risk assessments must be completed by the end of 2027.

‍

Key Components of a Risk Assessment

Under the finalized rules, a compliant risk assessment must address the following elements:

1. Purpose and Benefits: A clear and specific explanation of the purpose for the data processing, and any business or operational benefits that the organization expects to gain (note that general or vague statements of purpose will not suffice here).
   
   
2. Data Details: A breakdown of what categories of personal information will be processed, including any sensitive data, how the data is collected, and how long it will be retained. A statement outlining the minimum amount of information required to satisfy the purpose and benefits of the contemplated activity is also required to ensure that data minimization principals are followed.
   
   
3. Consumer Impact: An analysis of how many consumers are likely to be affected and what foreseeable harms might result—ranging from economic or reputational damage to physical or emotional harm, or discriminatory effects.
   
   
4. Safeguards: A description of any technical, procedural, or contractual measures that the business will implement to mitigate identified risks.
   ‍
5. Risk-Benefit Evaluation: A documented assessment weighing the expected benefits of the processing against the potential risks to consumers.
   ‍
6. Certification and Review: Each risk assessment must be certified by a designated executive or internal review body, and must identify individuals who were interviewed or who otherwise provided data for the risk assessment. Businesses must re-assess activities subject to these requirements at least once every three years, and within 45 days following any material changes to any such activity.
   ‍
7. Recordkeeping: Businesses must retain each risk assessment for at least five years following the end of the relevant data processing activity.
‍

Where required to complete a risk assessment, a business must also submit certain information including timing of the assessment, categories of information covered, identification of business personnel responsible for the assessment, and a point of contact for the business, to the CPPA. For risk assessments taking place in 2026 and 2027, such information must be submitted by April 1, 2028. For assessments taking place after 2027, submissions are due by April 1 of the following year.

‍

Automated Decision-Making Technology (ADMT) Requirements

The regulations define ADMT to include systems that process personal information and replace or substantially replace human decision-making. Examples include AI tools used to screen job applications, set insurance premiums, or prioritize customer service access.

Where ADMT is used to make significant decisions about California consumers, businesses must:

• Notify such consumers before deploying the technology.

• Make information about how the system works, what logic it uses, and how ADMT impacts decision-making processes available to such consumers.

• Offer an opt-out mechanism, except in limited circumstances.

• Provide an appeal process, including human review, for decisions made using ADMT.

‍

These obligations are intended to ensure transparency and allow consumers to understand and challenge automated outcomes that affect their lives.

‍

Cybersecurity Audit Requirements

In addition to new risk assessment and automated decision-making requirements, the CPPA has introduced a Cybersecurity Audit Rule requiring certain businesses to conduct independent audits and certify compliance annually. These audits aim to ensure that businesses maintain effective safeguards to protect personal information and to verify that cybersecurity programs meet regulatory expectations.

‍

Audit Applicability and Thresholds

The cybersecurity audit obligation applies only to businesses that meet specific size or data processing thresholds. A business is subject to the requirement if it either:

• Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information; or

• Has over $25 million in annual revenue and either:

• Processes the personal information of more than 250,000 California consumers or households, or

• Processes the sensitive personal information of more than 50,000 California consumers or households.

Audit deadlines are staggered based on revenue. Businesses with over $100 million in annual gross revenue must submit their first audit certification by April 1, 2028; those with $50–100 million by April 1, 2029; and those with under $50 million by April 1, 2030.  Each audit must cover the preceding calendar year.

‍

Conducting and Certifying the Audit

Covered businesses must engage a qualified independent professional—either an internal or external auditor—to perform the cybersecurity audit according to generally accepted auditing standards, such as those established by the AICPA or the PCAOB. The auditor must have specialized cybersecurity expertise and exercise independent judgment throughout the engagement. Internal auditors cannot report to the same executive responsible for the business’s cybersecurity program, ensuring true independence.

Each business must provide auditors with full access to relevant information and make a good-faith effort to disclose all material facts. By April 1 of each year, the business must file a certification with the CPPA confirming completion of the audit. The certification must be signed by a member of executive management, attesting both to responsibility for the audit content and to its accuracy. Businesses must retain audit reports and related documentation for at least five years.

‍

Audit Scope and Content

The audit must provide a comprehensive assessment of the business’s cybersecurity program, focusing on protections against unauthorized access, data breaches, and misuse of personal information. Each audit report must include:

• A description of the business’s information systems, the criteria used, and the evidence examined;

• Details of cybersecurity controls implemented (e.g., encryption, multi-factor authentication, access management, vulnerability scans, and training programs), including their effectiveness;

• Identification of gaps or weaknesses and plans for remediation;

• Documentation of corrections or amendments to prior audit findings;

• Names and roles of individuals responsible for the cybersecurity program;

• The auditor’s name, affiliation, and qualifications; and

• A signed statement by the lead auditor certifying that the audit was independent and based on specific evidence.

‍

Additionally, businesses must include copies of any notices sent to California consumers or regulators in connection with a data breach.

Importantly, businesses may satisfy the requirement by using an existing cybersecurity report prepared for another purpose—such as an audit conducted under the NIST Cybersecurity Framework 2.0—so long as it meets all regulatory elements outlined by the CPPA.

‍

Business Implications and Action Items

For businesses operating in California or handling data of California residents, these changes represent the need for a shift from reactive compliance to proactive governance.

To prepare, businesses should:

1. Map their data processing activities and determine which activities fall within the scope of the new risk assessment rules.
   ‍
2. Develop or update internal policies and templates for documenting and retaining risk assessments and providing results to the CPPA as required.
   ‍
3. Identify uses of ADMT and evaluate whether current deployments meet the new standards for notice, opt-out, and human oversight.
   ‍
4. Engage privacy, legal, compliance, and product teams to coordinate cross-functional implementation.
   ‍
5. Begin conducting risk assessments for existing high-risk processing activities, well before the 2027 deadline.
   ‍
6. Determine the applicability of cybersecurity audit requirements, and ensure appropriate compliance, operational and legal teams are engaged and prepared to conduct required cybersecurity audits

‍

‍