On May 1, 2025, the California Privacy Protection Agency (CPPA) released a revised draft of its regulations. These modifications, issued in response to public comments on earlier drafts, aim to clarify and simplify key requirements around three main areas: automated decisionmaking technology ("ADMT"), cybersecurity audits, and privacy risk assessments.
Automated Decisionmaking Technology
- Refined Definition: The definition of “automated decisionmaking technology” in Section 7001(e) of the regulations is narrowed to cover tools that “substantially replace human decisionmaking,” a term now defined in the regulations:
- “For purposes of this definition, to “substantially replace human decisionmaking” means a business uses the technology’s output to make a decision without human involvement.
- Human involvement requires the human reviewer to:
- Know how to interpret and use the technology’s output to make the decision;
- Review and analyze the output of the technology, and any other information that is relevant to make or change the decision; and
- Have the authority to make or change the decision based on their analysis in subsection (B).”
- The CPPA also deleted earlier definitions of “artificial intelligence” and “deepfake” as unnecessary, streamlining the terminology.
- Notice to Consumers: New language in Section 7220(d) clarifies how and when businesses must give notice about ADMT use. A “Pre-Use Notice” must “be presented prominently and conspicuously” to the consumer “at or before” the point at which data collection occurs. If a business plans to process information that it has already collected, it must provide a new pre-use notice.. The notice must clearly disclose the purpose for using ADMT, how the technology works to make a significant decision, how its output is used, and how the decision would be made if the consumer opts out of ADMT. Businesses are not required to reveal trade secrets or certain sensitive security, fraud, or safety information in the ADMT notice.
- Consumer Opt-Out and Exceptions: The draft regulations continue to give consumers the right to opt out of ADMT-driven decisions. Revised provisions in Section 7221(b) outline exceptions – for example, if a meaningful human review/appeal is available, or for certain employment-related decisions (admissions, hiring, assignment, etc.). Section 7221(n)(2) now makes clear that if a consumer opts out of a particular ADMT use, the business must inform its service providers, contractors, or third parties of that specific opt-out (since a consumer might opt out of one automated tool but not others).
- Extended Compliance Timeline: To help businesses adjust, the CPPA introduced a compliance grace period. Section 7200(b) now requires businesses to be in full compliance with all Article 11 (ADMT) requirements by January 1, 2027.
Cybersecurity Audits
- Clarified Scope and Terminology: The revised draft creates a more organized framework for annual cybersecurity audits. Section 7123(c) was also restructured to consolidate all required audit components into one subsection and notes that each listed component applies “if applicable,” giving flexibility based on a business’s relevant practices.
- Audit Report Content: The rules more clearly spell out what the audit report must cover. Section 7123(e)(1) now explicitly requires the report to articulate and explain the audit’s scope, methodology, and findings. Further subsections clarify that the report should identify and assess the effectiveness of any additional security measures the business or auditor chose to include beyond the minimum requirements, as well as describe any gaps or weaknesses found in those measures that could increase risk. Section 7123(e)(4) was pared down to eliminate overly prescriptive language (e.g. removed the mandate to detail “resources allocated” to each issue), simplifying compliance.
- Increased Flexibility: Several changes aim to make the audit process more practical. Only the “highest-ranking auditor” now needs to sign off and certify the audit, rather than requiring certifications from multiple auditors. The CPPA also deleted the draft requirement that businesses notify out-of-state regulators or authorities of certain audit results, narrowing the focus to California compliance. Additionally, new Section 7123(f) confirms that a business may reuse an existing cybersecurity audit or assessment (performed for another purpose) to satisfy these requirements, so long as it meets all elements of Article 9 or is appropriately supplemented.
(Note: The substantive requirements for which businesses must conduct audits (e.g., annual revenue and data processing thresholds) and phased timing for first audits were not significantly altered by the May 2025 revisions.)
Risk Assessments
- Content Requirements and Definitions: The updated draft provides more precision in how businesses conduct and document privacy risk assessments. Section 7152(a) was refined in several ways. For example, §7152(a)(6) now clarifies that a business must identify and document the safeguards it plans to implement to mitigate risks, explicitly labeling the listed safeguards as non-exhaustive examples. An overly broad reference to considering “human involvement” as a safeguard was removed as redundant. In §7152(a)(8)-(9), the rules clarify which individuals contributed to the assessment and pointedly exclude legal counsel providing legal advice from the list of contributors. Additionally, the CPPA fine-tuned the triggers that require a risk assessment in the first place: the revised §7150(b) eliminates the vague “extensive profiling” criterion insofar as it relates to profiling in a public place, replacing it with more concrete profiling thresholds (including use of a newly defined term “sensitive location” to pinpoint location-based profiling risks).
- ADMT Providers’ Duties: Section 7153 clarifies that if a business offers or uses ADMT on behalf of other businesses (for making significant decisions), it bears responsibility for ensuring appropriate risk assessments are conducted for that technology. This clarification targets service providers or tech companies that make ADMT tools available to others, confirming they must facilitate compliance when their tools are used in high-risk contexts.
- Purpose and Updates: In §7154, the draft underscores that the goal of a risk assessment is to determine whether the privacy risks to consumers outweigh the benefits of the processing, mirroring the statutory standard. Moreover, §7155(a)(3) now explicitly requires businesses to periodically update risk assessments and provides a timeframe of no longer than 45 days for doing so, adding clarity for ongoing high-risk processing activities. Importantly, Section 7155(b) (formerly 7155(c)) sets a specific deadline by which companies must complete risk assessments for any processing that began before the regulations take effect and that will continue afterward. This addition means businesses with existing data operations subject to the new rules will have a clear date by which they need to perform their first assessments.
- Use of Existing Assessments: Recognizing that businesses may already perform similar evaluations for other laws or internal governance, Section 7156(b) was revised to allow a company to leverage a risk assessment prepared for another purpose to satisfy the CPPA’s requirements. Additionally, §7156(a)(1) clarifies that “conducting a risk assessment” inherently includes documenting all required information in a risk assessment report– emphasizing that proper documentation is part of compliance.
- Submission to the Agency: The procedure for submitting risk assessment results to the CPPA has been reworked for simplicity. Section 7157(a) now specifies when businesses must submit risk assessment information to the Agency. Under the revised timeline, businesses will make an initial submission of their risk assessment summaries within a set period (e.g. 24 months) after the regulations become effective, and then provide annual submissions by April 1 of each year thereafter, covering the prior year’s assessments (as reflected in the modified text of §7157). In the updated draft, Section 7157(b) (together with 7157(d)) streamlines what information must be included in these submissions, reducing unnecessary details to simplify implementation. The responsibility for filing is clarified in Section 7157(c), which was moved from the prior draft’s subsection and now clearly delineates which businesses must submit the materials and that the submission must meet the specified requirements. Finally, Section 7157(e) requires that if the CPPA or the Attorney General requests a full risk assessment report, the business must provide it within 30 days of the request. This ensures regulators can obtain the complete assessments when needed, even though routine submissions are in summary form.
Next Steps
These revised regulations are not yet final. The CPPA intends to open a 15-day public comment period on the changes, after which the agency could formally adopt the rules, with potential further revisions. With the CPPA targeting January 1, 2027 as a compliance deadline for the new Article 11 requirements, companies have a limited time to adjust their practices. The agency’s May 2025 revisions demonstrate a move toward pragmatism and clarity, while still holding businesses accountable for robust privacy and security governance under the CCPA.
