On May 1, 2025, the California Privacy Protection Agency (“CPPA”) Board convened to discuss revisions to the California Consumer Privacy Act (“CCPA”) draft regulations on cybersecurity audits, risk assessments, automatic decisionmaking technology (“ADMT”), insurance, and updates to the existing CCPA regulations.
The revisions were informed by comments received by the CPPA during the formal public comment period, which ran from November 22, 2024 to February 19, 2025, and feedback that the Board provided to Staff during the previous Board meeting on April 4, 2025. Below is a summary of certain material changes to the draft CCPA regulations, along with an overview of potential timelines for the draft regulations to take effect.
Summary of Certain Material Revisions to the Draft CCPA Regulations
Narrowed the Definition of ADMT. The definition of ADMT under the revised draft regulations no longer include technology that merely executes a decision or substantially facilitates human decisionmaking. Under the new draft regulations, ADMT encompasses technology that replaces or substantially replaces human decision-making.
“Substantially replace human decisionmaking” means using the technology’s output to make a decision without human involvement. “Human involvement” requires that an individual know how to interpret and use the technology’s output to make a decision, analyze the output and any other information relevant to make or change the decision, and have the authority to make or change the decision based on their analysis.
Narrowed the Definition of Significant Decision. Under the draft regulations, risk assessments and ADMT obligations are triggered when businesses engage in certain processing activities related to “significant decisions” affecting consumers. Previously, “significant decisions” included those that resulted in access to, provision of, or denial of certain services. However, the latest draft regulations no longer consider decisions that determine “access to” services as triggering events.
The services that implicate whether a significant decision is being made are financial or lending, housing, education, and employment and independent contracting services. Notably, insurance, criminal justice services, and essential goods and services have been removed from the list of services.
Additionally, the draft regulations explicitly exclude advertisements to consumers that could lead to the provision or denial of qualifying services from being considered “significant decisions.”
Clarified Work or Educational Profiling. Under the previous draft regulations, businesses conducting systematic observation of consumers in their roles as educational program applicants, job applicants, students, employees, or independent contractors would have triggered both risk assessment and automated ADMT requirements.
Under the revised draft regulations, businesses engaging in such profiling must still conduct risk assessments, but they are no longer required to comply with ADMT obligations solely based on this profiling activity.
Removed Behavioral Advertising Threshold. The draft regulations no longer mandate that businesses conduct risk assessments or comply with ADMT obligations solely due to profiling a consumer for behavioral advertising. As a result, first-party advertising will not trigger these requirements.
Narrowed ADMT Training Threshold. Under the previous draft regulations, businesses were required to conduct risk assessments and comply with ADMT obligations when processing personal information to train ADMT that could potentially be used for certain purposes. Under the revised draft regulations, businesses are no longer required to comply with ADMT obligations solely based on training ADMT. However, they must still conduct a risk assessment when processing personal information with the intent to train ADMT for specific purposes—not merely because the technology has the capability for such use.
Risk Assessments Required for Sensitive Location Profiling. Under the previous draft regulations, businesses were required to complete a risk assessment if they engaged in profiling consumers through systematic observation of publicly accessible places. The revised draft regulations have narrowed this requirement, now mandating risk assessments only when businesses profile consumers based on their presence in a “sensitive location.”
A “sensitive location” includes healthcare facilities, pharmacies, domestic violence shelters, food pantries, housing or emergency shelters, educational institutions, political party offices, legal services offices, and places of worship.
This definition aligns with how the Federal Trade Commission has defined sensitive locations in enforcement actions against data brokers accused of unlawfully collecting, using, and sharing consumer location data. It reflects ongoing regulatory concerns regarding the potential misuse of such data.
Removed References to Artificial Intelligence. The revised draft CCPA regulations no longer explicitly reference “artificial intelligence.” However, AI systems that fall within the definition of ADMT will still be subject to regulation under the updated framework.
Timeline to Complete Cybersecurity Audits. Under the draft CCPA regulations, a business that meets the risk thresholds must complete their first cybersecurity audit by the dates provided below and annually thereafter provided that it continues to meet the risk thresholds.
• April 1, 2028, if the business’s annual gross revenue for 2026 is more than $100 million.
• April 1, 2029, if the business’s annual gross revenue for 2027 is at least $50 million but no more than $100 million.[1]
• April 1, 2030, if the business’s annual gross revenue for 2028 is less than $50 million.
Additionally, after April 1, 2030, any business that meets the risk thresholds, regardless of its gross revenue, must complete a cybersecurity audit annually.
Content and Timeline of Risk Assessment Submission. The updated draft CCPA regulations have removed the requirement for businesses to submit risk assessments to the CPPA. Instead, businesses must provide an attestation confirming completion of the risk assessment, along with key details such as the business name and point of contact.
For risk assessments conducted in 2026 and 2027, businesses must submit the required information to the CPPA by April 1, 2028. For risk assessments conducted after 2027, businesses must submit the required information by April 1 of the year following any year in which they conducted a risk assessment.
Potential Timelines for Draft Regulations to Take Effect
The CPPA Board voted to initiate a public comment period, set to conclude on June 2, 2025, potentially exceeding the minimum 15-day statutory requirement.
By law, the CPPA must finalize the draft regulations by November 25, 2025. If the CPPA files the regulations by August 31, 2025, they will take effect on October 1, 2025. However, if the filing occurs after August 31, 2025, but before the November 25 deadline, the regulations will take effect on January 1, 2026.
We will continue to monitor CCPA rulemaking. Please contact Alston & Bird’s Privacy, Cyber & Data Strategy Team if you have any questions.
[1] The draft regulations define the threshold as “between fifty million dollars ($50,000,000) and one hundred million dollars ($100,000,000) as of January 1, 2028.” This appears to be a drafting error. We believe the best interpretation is to define the April 1, 2029 threshold as revenue totaling $50 million to $100 million.
