Overview
As the California Privacy Protection Agency (CPPA) prepares for its July 24, 2025, meeting, it released a revised set of California Consumer Privacy Act (CCPA) regulations that contain modest changes to the ones it released in May. The latest version contains substantive changes in two key areas: 1) the content and structure of the cybersecurity audit report and 2) the processing scenarios that are considered “high risk” and trigger a risk assessment, both of which are described in greater detail below.
The fact that only modest changes were made following the latest round of public comment demonstrates that the CPPA is positioning these proposed regulations to move to their final stage before the end of year. That means that companies should, if they have not already, begin to prepare for compliance with the new regulations as early as Q4 2025. As described in our prior client alerts (Draft CCPA regulations stalled as agency struggles with applicability of ADMT rules and CPPA releases proposed updates to CCPA regulations and unveils new draft privacy assessment and ADM rules), the new regulations include a variety of changes to which companies will have to adapt.
In Depth
Content and structure of the cybersecurity audit report
In the latest draft regulations, the CPPA clarified that audit reports should contain information on three key areas:
- The policies, procedures, and practices that the audit assessed;
- The criteria used for the audit; and
- The specific evidence examined, such as documents reviewed, sampling/testing performed, and interviews conducted.
Time is of the essence to conduct a gap assessment and prepare for these new regulations.
Changes in the processing scenarios that are considered “high risk”
With respect to high-risk processing activities that require risk assessments, the latest draft regulations replaced the “Profiling” defined term with the list of activities that constitute “Profiling” in the section of the regulations that trigger risk assessments. These changes are not substantive, but in their explanation for the change, the CPPA explained it thought the edit would help clarify what type of automated decisionmaking processing was high risk.
The draft regulations also add a narrow exception to risk assessments where a “consumer’s personal information solely to deliver goods to, or provide transportation for, that consumer at a sensitive location.”
What’s next?
The CPPA staff have prepared the package of revised materials to be filed with the Office of Administrative Law, which is the final step before the regulations can be finalized. The staff and board are still targeting November 2025 to finalize this rulemaking. Thus, time is of the essence to conduct a gap assessment and prepare for these new regulations.
If you are interested in building out your CCPA compliance program, please contact your regular McDermott lawyer or one of the authors.
