BlogLine

CCPA/CPRA amended regulations approved and effective January 1, 2026

9/25/25

By: Danielle A. Ocampo

The California Office of Administrative Law (OAL) approved the most recent amendments to the CCPA regulations to take effect January 1, 2026.

How Did We Get Here?

The California Consumer Privacy Act (CCPA) of 2018, effective 2020, was the first comprehensive consumer privacy law in the country that afforded Californians data rights to shift control of their data from businesses. The California Attorney General (AG) established and enforced the first CCPA regulations in August 2020. The California Privacy Rights Act (CPRA) amended and expanded the CCPA by adding new rights and establishing the California Privacy Protection Agency (CPPA) to enforce CCPA/CPRA alongside the AG.

Once the CPRA was effective in January 2023, the CPPA amended the CCPA regulations to reflect the CPRA’s expanded rights and obligations in March 2023. The CPPA has since amended the CCPA regulations that govern automated decision-making, risk assessments and cybersecurity audits to enhance consumer protections against a rapidly evolving technological landscape, particularly with AI and automatic decision-making. On July 24, 2025, the CPPA Board unanimously voted to adopt the second set of amendments to the regulations in their final form. On September 23, 2025, the CPPA announced OAL had approved the regulations that will take effect January 1, 2026.

What Are The New CCPA Amended Regulations?

Automatic Decision-Making technology (ADMT)

Businesses subject to the CCPA that use ADMT to make “significant decisions concerning a consumer” must:

• Provide consumers with pre-use notices in plain language presented at or before the point of collection that inform the consumer about the business’s use of ADMT, how the ADMT made a significant decision about a consumer and the effects of that decision, outputs, alternative processes for decision making, the right to access the ADMT and the right to opt-out.
• Uphold requests to opt out of ADMT use.
• Uphold requests to access ADMT.

Prior to the final July regulations, the CPPA’s previous May draft on ADMT was much broader. Notably, the final regulations remove all references to AI to avoid regulatory ambiguity and overreach, echoing the concern that regulating AI broadly could stifle innovation, especially in light of federal initiatives like the Trump Administration’s AI Action Plan. The July 2025 amendments narrowed the scope of ADMT to technologies that replace or “substantial replace human decisionmaking,” which is defined in the final version as using the ADMT’s output to make a decision without human involvement.

Risk Assessments

Risk assessments are still required when processing consumers’ sensitive personal information that presents a risk to consumers’ privacy. This includes using AMDT for a significant decision concerning a consumer, using personal information for training data for an ADMT and using automated processing to infer or extrapolate sensitive information (health, preferences, interests, intelligence, ability) about a consumer. With new content requirements, the final regulations no longer require businesses to submit their assessment annually to the CPPA but businesses must conduct and update risk assessments as soon as feasibly possible, but no later than 45 calendar days, whenever material changes related to the processing activity occur. Businesses are still required to review and update their risk assessments at least once every three years, aside from any material changes in between.

Cybersecurity Audits

While ISO compliance focuses on governance and management controls, the CCPA cybersecurity audit focuses on the effectiveness of cybersecurity programs. The CCPA requires specific contents such as the policies and procedures, the audit criteria, specific evidence used, gaps and weaknesses and more. A business may use a cybersecurity audit for another purpose, such as a NIST Cybersecurity Framework 2.0 audit that meets all the CCPA requirements. Importantly, the scope of the audit covers how the business implements, enforces and maintains compliance with its cybersecurity program. The CPPA provides an extensive eighteen-item list of cybersecurity components that should be evaluated if applicable.

The final regulations include an audit reporting schedule for businesses’ first cybersecurity audit, depending on the business’s gross annual revenue. Under this schedule, all businesses will have completed their first audits by April 1, 2030 and are required to complete annual audits 12 months after the first audit is completed. The use of independent auditors is required, whether internal or external.

What Do Businesses Need to Know?

If you are a business subject to the CCPA, this Q4 2025 should be a focused time to prepare for the amended regulations to take effect. As businesses increasingly look to integrate new AI and automatic decision-making technologies, they must also ensure that the proper processes, procedures and training are in place to ensure compliance. Among other goals for compliance:

• Businesses should always scrutinize and evaluate the prospective use of AI and ADMT prior to procurement.
• Businesses should review their privacy notices and understand the technology behind their tools, especially as they relate to personal information and data.
• Businesses will need to create a process and ensure that consumers opt out or access requests and appeals processes for ADMT are functionally sound and honored within the organization and with vendors.
• Businesses will need to conduct thorough assessments and be prepared to defend them. While perfection may appear to be an impossible standard, if subject to a regulatory investigation, doing the bare minimum in completing assessments or evaluating ADMT risks will not be sufficient.
• Although not a requirement, Businesses should review the list of eighteen cybersecurity measures in the cybersecurity audit article and consider whether implementing any additional components would best serve the organization’s security defenses.

The regulations will likely increase the amount of time and expense spent on evaluating risks and internal procedures. All these considerations taken together will require more governance and oversight to ensure the organization is being accountable and responsible with consumer data. FMG Law’s Data Security, Privacy & Technology Group can assist with preparing your business for the CCPA regulations and more.

For more information, please contact Danielle A. Ocampo at danielle.ocampo@fmglaw.com or your local FMG attorney.

Information conveyed herein should not be construed as legal advice or represent any specific or binding policy or procedure of any organization. Information provided is for educational purposes only. These materials are written in a general format and are not intended to be advice applicable to any specific circumstance. Legal opinions may vary when based on subtle factual distinctions. All rights reserved. No part of this presentation may be reproduced, published or posted without the written permission of Freeman Mathis & Gary, LLP.