Unpacking the Latest Proposed CCPA Regulations

CHANGES TO EXISTING REGULATIONS

Often lost in the discussion around the new aspects of the proposed CCPA regulations is that the CPPA is proposing many substantive changes to existing CCPA regulations as well. At least some of those proposed changes were removed in the latest round of draft proposals. Below are the key changes that remain:

• Businesses that collect consent for a processing purpose must ensure that there is a method by which consumers can withdraw that consent “at any time.”
• Links to a privacy policy must appear not just on the homepage but “any internet webpage where personal information is collected.”
• Requests to opt-out must be the same or fewer steps than the method to opt-in (e.g., website cookies).
• There are new rules for privacy disclosures related to connected and virtual reality devices.
• Consumers can request personal information pursuant to an access request beyond information collected in the prior 12-month period.
• An individual is not required to resubmit a data subject request when that consumer made the initial request through an agent.

While these are the most significant changes to the existing regulations, the above is not an exhaustive list. The proposed regulations include numerous wordsmithing changes, clarifications and new illustrative examples as to how the CPPA expects the regulations to be followed.

CYBERSECURITY AUDITS

The latest proposals around cybersecurity audits will come as a welcome reprieve for many businesses. The CPPA is granting businesses more time to complete the initial audit and has pared back on some of the more onerous aspects of the prior proposals. Nonetheless, the cybersecurity audit requirement will be a burdensome task for many companies and will require significant time and resources to complete.

Timing for First Cybersecurity Audit

Welcome relief is that the latest proposed regulations introduce a phased timeline for the completion of cybersecurity audits. Cybersecurity audits for companies that have between $100 million and more than $1 billion in annual revenue must be completed by April 1, 2028. Companies in the $50 million to $100 million range must complete their first audit by April 1, 2029. Companies with under $50 million in annual revenue have until April 1, 2030, to complete their first audit. The revenue thresholds are based on a company’s 2026 gross revenue.

On a going-forward basis, audits for the prior year will have to be completed by April of the current year. For example, the audit covering January 1, 2035, through January 1, 2036, must be completed by April 2036.

Cybersecurity Audit Changes

There are many changes to the actual implementation requirements of the cybersecurity audit as well, including:

• Internal auditors will no longer have to report to the board of directors. Instead, the highest ranking auditor must report to a member of the business’s executive management team with responsibility for cybersecurity oversight.
• The introspective aspects of the audit (i.e., why certain methods were chosen, outlining the methodology) have all been removed in the latest proposed regulations.
• The auditor no longer needs to explain why a business does not implement one of the many cybersecurity safeguards pre-selected by the CCPA in the regulations (perhaps the most significant change). Rather, the auditor must only address the components that it deems are applicable to a business’s system.
• The proposed regulations have withdrawn certain of the safeguards that drew the most criticism for being well outside market application (i.e., zero trust architecture).
• The May 9, 2025, regulations require new descriptions of a company’s overall business information system and implementation of the company’s privacy program.
• Businesses are no longer required to document why an alternative audit, such as the NIST Cybersecurity Framework 2.0, provides at least equivalent security to the requirements set out in the regulations. This means that businesses likely can leverage existing audits to meet the CCPA regulatory requirements.

Finally, the content of the audit report has been modified to include:

• A certification of completion must be submitted to the CPPA every April.
• The certification must be completed by a member of the business’s executive management team responsible for cybersecurity implementation.
• The certification must include the contact information for that individual, a statement of compliance, the time period covered by the audit, and an attestation by the signing individual.

RISK ASSESSMENTS

When Required

Although the automated decision-making technology (ADMT) obligations of the proposed CCPA regulations have been limited to a specific type of use of ADMT (discussed below), the newly proposed regulations include additional ADMT uses that must be subject to risk assessments. Risk assessments must be performed when a company:

• Sells or shares personal information
• Processes sensitive personal information (for any purpose)
• Uses ADMT for significant decisions (discussed below)
• Uses ADMT to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, and similar characteristics in the individual’s capacity as a job applicant, student, employee, or independent contractor
• Uses ADMT to infer characteristics based on a person’s presence in a sensitive location (i.e., health, political, poverty, religious, or legal locations)
• Uses personal information to train ADMT for a significant decision.

Assessment Requirements

The content of the assessments has been significantly updated in the newly proposed regulations. In particular, highly technical descriptions of the process and what could have been burdensome descriptions of the assessment process have been removed.

Thankfully, the CPPA has added new language that recognizes that many businesses will have already been engaging in risk assessments to comply with other state consumer privacy laws. The proposed regulations acknowledge that companies can rely on those other assessments so long as they meet the requirements of the CCPA regulations.

Timing for Completion of Assessments

For processing that is already occurring prior to the effective date of the new regulations, businesses will have until December 31, 2027, to complete their assessments. If a business makes a material change to a process subject to a risk assessment, the business must update its risk assessment within 45 days of the change.

Submission to the CPPA

The submission process has also undergone significant change. For risk assessments conducted in 2026 and 2027, companies must submit information about the assessment, but not the assessment itself, to the CPPA by April 1, 2028. Businesses must provide a contact point, the time period covered by the submission, the number of risk assessments conducted by the business in the time period, whether the risk assessments covered the processing of personal information under the CCPA, an attestation, and the name of the person submitting the report. The person making the submission must be someone responsible for the business’s overall compliance with risk assessments under the CCPA regulations.

Subsequent submissions are due in April of the following year (i.e., the 2035 yearly submission would be due April 1, 2036).

AUTOMATED DECISION-MAKING

The headlines around ADMT changes include (1) that the proposed CCPA regulations remove all references to artificial intelligence (AI) and (2) the definition of what constitutes ADMT has been substantially narrowed. Both of these changes had been the target of much ink in the public comment period and even drew the ire of California’s governor, who wrote a letter to the CPPA suggesting that AI regulation was more appropriately handled by the legislature.

Revised ADMT definition

The definition of ADMT has been the source of much debate in the CCPA regulations. Up until recently, the definition was so broad that it could have included a calculator or an excel sheet with formulas in it. Thankfully, the newly proposed regulations have retreated from that absurd position.

ADMT is now defined as technology that processes information “to replace human decisionmaking or substantially replace human decisionmaking.” The phrase “substantially replace human decisionmaking” is defined to mean a use of a technology output “without human involvement.” “Human involvement” requires that an individual understand the technology output, analyze it, and have the authority to change the output. While the definitions are more than a bit convoluted, the ADMT definition will now narrowly apply to “profiling” under the CCPA regulations and any technology that replaces human decision-making.

Triggers for ADMT Requirements

There have been substantial changes to what businesses must do when using ADMT. Most significantly, the requirements of the proposed CCPA regulations related to ADMT will now only apply if ADMT is used “to make a significant decision” concerning the consumer. All other uses of ADMT are excluded from the latest proposed regulations.

Significant decisions concerning a consumer include decisions that result in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.

For ADMT use that is subject to the newly proposed CCPA regulations, businesses must be in compliance by January 1, 2027, for existing ADMT use and at the time of use for all future ADMT operations after January 1, 2027.

ADMT Consumer Rights

Like other parts of the ADMT regulations, the new draft regulations include substantial, narrowing changes.

Pre-Use Notice

This must be provided at or before the point of collection or, if the information has already been collected, before the information is used in connection with covered ADMTs. The notice must include a description of the ADMT use, the right to opt-out and access the ADMT output, and how to exercise those rights. The notice also must include a statement that the consumer will not be retaliated against for exercising their rights. The new draft regulations also narrow the type of information that must be included about the ADMT, making it clear that no trade secrets or other sensitive information that would compromise a business’s ability to prevent fraud or defend the physical safety of people.

Limitations on Consumer Rights

The newly proposed regulations clarify that if ADMT is not used for a significant decision, businesses do not have to offer opt-out or access rights to consumers.

Access Requests

In response to an access request, the type of information that must be provided has been narrowed to:

• The purpose for which the business used ADMT.
• Information about the logic/how the ADMT process worked.
• The outcome of the decision.
• The business is prohibited from retaliating against the consumer for exercising their access right.

Gone is the obligation to provide highly technical details to consumers.

As with the changes to the pre-use notice, the newly proposed regulations make clear that businesses do not need to disclose trade secrets or information that would impact their ability to combat fraud or other security issues.

WHAT’S NEXT?

Public comment on the new regulations is open through June 2, 2025. The staff and board of the CPPA have expressed an interest in having this rulemaking conclude by November 2025. To achieve that, we do not anticipate any further significant changes to the proposed regulations. As a result, it is time that businesses begin to prepare for the new, narrower CCPA regulations and make sure they are ready to implement the changes.

If you are interested in commenting on the proposed regulations or are looking to begin adapting existing compliance mechanisms for the new regulations, please contact your regular McDermott lawyer or one of the authors of this article.