On September 23, 2025, the California Privacy Protection Agency (“CPPA”) announced that the California Office of Administrative Law (“OAL”) had approved the new and amended California Consumer Privacy Act regulations that the CPPA delivered to OAL for approval following the CPPA’s July 24, 2025 Board meeting. This was the last step under California law to formal adoption of the new and amended regulations.
The regulations establish criteria under which businesses will be required to perform annual comprehensive cybersecurity audits and detailed, technical privacy risk assessments. The regulations also impose new standards on certain uses of automated decision-making technologies, which can include artificial intelligence tools and technologies. The CPPA took this opportunity to make some additional updates to the existing regulations, including with respect to the processing of opt-out preference signals online and mandatory language in data processing agreements entered with third-party suppliers.
The regulations take effect January 1, 2026, subject to the following deferred deadlines:
Cybersecurity Audits
Businesses subject to cybersecurity audit requirements must submit certifications to the CPPA by the following dates based on their annual gross revenue:
• April 1, 2028, if the business makes over $100 million in 2026.
• April 1, 2029, if the business makes at least $50 million but no more than $100 million in 2027; or
• April 1, 2030, if the business makes less than $50 million in 2028.
After April 1, 2030, businesses meeting the audit criteria in the prior calendar year by January 1 must complete an audit covering the following 12 months and submit their report by April 1 of the next year.
Risk Assessments
Businesses required to complete risk assessments must begin compliance by January 1, 2026. By April 1, 2028, they must submit to the CPPA:
• An attestation confirming completion of required risk assessments for 2026 and 2027, as applicable, and
• Certain information about the assessments, including contact details and the types of personal information reviewed.
For assessments conducted after 2027, businesses must submit the attestation and required information by April 1 of the year following the assessment.
Automated Decision-Making Technology (“ADMT”)
Businesses that use ADMT to make significant decisions, as defined by the regulations, must comply with the ADMT requirements beginning January 1, 2027.
The next CPPA Board meeting is on Friday, September 26, 2025.
We will continue to provide updates and analysis of the new regulations on our Privacy, Cyber & Data Strategy blog. If you have questions about how the new regulations may affect your organization, please contact Alston & Bird’s Privacy, Cyber & Data Strategy Team.
