On July 24, 2025, the California Privacy Protection Agency (“CPPA”) unanimously voted to adopt a package of Proposed Regulations for the California Consumer Privacy Act (“CCPA”), marking a significant development in California privacy law. These cover Automated Decision-making Technology (“ADMT”), mandatory Cybersecurity Audits, Risk Assessments, and clarifications for the CCPA’s applicability to Insurance Companies. The package will move into its final review stage before formal enactment, once filed with the California Office of Administrative Law.
CCPA Steering Toward Operational Compliance
This is a clear signal that privacy compliance expectations in California are trending toward a more operational phase. The new rules are designed to give Californians greater control over how their personal information is used while pushing businesses toward higher levels of transparency and accountability, especially when automated decision-making and high-risk data processing is involved. For companies, this is more than just a theoretical update – it’s a clarion call to ensure these requirements are built into day-to-day governance, technology and process design, and vendor management practices.
Automated Decision-Making Technology in Focus
The Regulations create a new compliance framework for businesses that use ADMT to make “significant decisions” about consumers. In a key change, the CPPA’s latest draft drops all references to “artificial intelligence,” signaling that broader AI policy will be left to future legislation. At the same time, the substance of the rules aligns closely with Colorado’s Artificial Intelligence Act — a welcomed consistency for companies operating in multiple states.
The Regulations require businesses to provide a Pre-Use Notice that explains the specific decision being made, the categories of personal information feeding the system, and the consumer’s right to opt out or appeal and there are narrow exceptions where meaningful human review is already part of the process. These disclosures can be folded into existing Notices at Collection, reducing duplication. For most companies, the critical step will be building an inventory of ADMT use, including third-party vendor tools, and ensuring documentation and oversight are strong enough to withstand regulatory scrutiny.
Cybersecurity Audits and Risk Assessments for “Significant Risk” Processing
Another operational impact of the Regulations is the requirement for Cybersecurity audits becoming mandatory for companies meeting certain revenue or data volume thresholds, with phased deadlines beginning in 2028 and annual certification requirements thereafter. Audits must be conducted by independent, qualified professionals (either internal or external) against recognized standards and must focus on evidence-based testing of security controls, not just management attestations. It is worth noting that independence and qualification criteria for such auditors are specified in the new Regulations.
The rules outline specific program elements subject to review, including multi-factor authentication, encryption, access controls, vulnerability testing, incident response, and vendor oversight. Businesses must also document remediation plans for any gaps identified and retain audit records for five years.
Risk assessments are triggered for activities presenting “significant risk” to consumer privacy, including selling or sharing personal information, processing sensitive data (other than for limited employment related purposes), using ADMT for significant decisions, training facial or emotion-recognition tools, or inferring consumer traits through automated processing. Assessments must weigh risks against benefits, document data flows and safeguards, and be updated at least every three years or when material changes occur.
For most organizations, the practical burden will be building scalable audit and risk assessment programs that can cover multiple processing activities and harmonize with other state and federal frameworks.
Application to Insurance Companies
Article?12 clarifies how the CCPA applies to insurers and related entities. The regulations define “insurance company” broadly to include carriers, agents, and insurance-support organizations but draw a clear line between data governed by the Insurance Code and data subject to the CCPA.
Where personal information is collected outside of an insurance transaction, insurers that meet the CCPA’s “business” threshold must comply fully. This includes employee and applicant data, marketing datasets, and website visitor information unrelated to policy applications or claims. In these contexts, insurers must provide Notices at Collection, honor opt-outs (including preference signals), and treat employees as covered consumers under the CCPA.
By contrast, personal information processed strictly within the scope of an insurance transaction remains under the Insurance Code and is excluded from CCPA coverage. For large carriers, the practical impact is maintaining parallel compliance tracks: one under insurance regulations for policy and claims data, and another under the CCPA for ancillary data collection, employment records, and digital marketing activities.
Practical Next Steps for Businesses
With final approval likely, companies should move quickly to assess and prepare for these new obligations:
- Map Automated Decision-Making: Inventory all uses of ADMT and profiling, evaluate whether they meet the “significant decision” threshold, and develop pre-use notices to meet disclosure requirements. This should be included in any data mapping or inventory the business already does for CCPA compliance.
- Conduct Risk Assessments: Identify high-risk processing activities and sensitive data flows, and design a risk assessment process to document purpose, proportionality, and safeguards. The results of these assessments should also map to controls which mitigate the risks. Having this kind of mapping will support the relevant cybersecurity audits, when needed.
- Plan for Cybersecurity Audits: If you process large volumes of personal or sensitive data, begin scoping an annual cybersecurity audit framework capable of producing evidence-based reports. This includes identifying and retaining qualified personnel (internal or external) to undertake such audits.
- Update Privacy Notices and DSAR Processes: Revise privacy notices to address ADMT use, strengthen identity verification procedures, and ensure opt-out mechanisms function as required.
- Review Vendor and Partner Contracts: Ensure service provider agreements align with the new requirements for purpose limitation, downstream obligations, and audit rights.
- Update Documentation and Retention Practices: Develop internal templates and repositories for audit reports and risk assessments – these will likely be a focal point in any CPPA enforcement action.
Preparing for What Comes Next
Although the regulations have one more procedural step before becoming final, the CPPA’s unanimous vote makes adoption highly likely. For organizations handling California residents’ data, it’s time to move from awareness to readiness. These updates do not just expand privacy rights, they raise the compliance bar across governance, security, and technology design in ways that will ripple through the rest of the U.S. market.
That theme is consistent with the CPPA’s recent enforcement action discussed in our prior post, CPPA Underscores That Businesses Own CCPA Compliance – Even When Privacy Management Tools Fail, which emphasized that having the right policies and vendors is not enough if your systems don’t actually work in practice. The new regulations build on that message: operational soundness, continuous testing, and real-world execution are no longer optional – they are the baseline for CCPA compliance moving forward.
#California #Privacy #Protection #Agency #CPPA #Finally #Voted #Adopt #Debated #Update #CCPA #Regulations #Business