The waiting period is over. If your business has been monitoring these regulations and telling yourself there is still time to figure out whether they apply, that window has closed.
On September 23, 2025, the California Office of Administrative Law approved the final regulations the CPPA Board adopted on July 24, 2025. The package covered three companion rules that have been in development for years: mandatory cybersecurity audits, privacy risk assessments, and rules governing automated decision-making technology (ADMT). Risk assessment obligations took effect January 1, 2026. ADMT compliance kicks in January 1, 2027. Cybersecurity audit certifications are due in 2028, 2029, or 2030 depending on your revenue.
This is the regulatory framework that completes the CCPA's second chapter. And it arrived while the CPPA was simultaneously fining Ford $375,703 and PlayOn $1.1 million for unrelated violations. The enforcement posture and the compliance obligations are moving in lockstep.
How we got here: five years from proposal to final rule
The CCPA, as amended by the CPRA in 2020, directed the newly created CPPA to develop regulations governing cybersecurity audits, risk assessments, and ADMT. That directive sat in draft form, went through multiple public comment rounds, and was revised substantially before the CPPA Board finally adopted the package in July 2025.
The OAL's September 2025 approval ended the regulatory process. These are not pending rules. They are not draft guidance. They are final regulations with enforceable obligations, documented thresholds, and specific submission deadlines already scheduled on the CPPA's calendar.
That five-year timeline gave a lot of businesses room to watch and wait. That room is now gone.
Rule 1: Privacy risk assessments (in effect now)
The risk assessment requirement has the earliest compliance date. Businesses subject to this rule were required to begin conducting privacy risk assessments by January 1, 2026. If you process personal information in ways that present a "significant risk" to consumer privacy, you are likely covered.
The regulation requires risk assessments for processing activities including targeted advertising, selling or sharing personal information, profiling with legal or similarly significant effects, processing sensitive personal information, and using ADMT for significant decisions. This is not a narrow list. Most mid-size and larger businesses doing any kind of digital marketing or data analytics will find at least one trigger here.
The assessment itself must involve relevant internal stakeholders for the specific processing activity and must result in a documented report. The CPPA's stated goal for this requirement is direct: businesses should restrict or prohibit processing when privacy risks to consumers outweigh the business benefits. That framing matters because it signals the CPPA expects these assessments to actually change behavior, not just generate paperwork.
Documentation must be submitted to the CPPA by April 1, 2028 for assessments conducted in 2026 and 2027. For assessments conducted in 2028 and later, submission is due April of the following year.
Rule 2: Annual cybersecurity audits (certifications due 2028-2030)
Businesses whose processing of personal information presents a "significant risk" to consumer security must conduct annual cybersecurity audits. The auditor must operate independently and base their findings on their own analysis of security testing and information provided. The auditor is not there to rubber-stamp the business's self-assessment.
The certification deadlines are tiered by revenue:
- Over $100 million in annual revenue: first certification due April 1, 2028
- $50 million to $100 million: first certification due April 1, 2029
- Under $50 million: first certification due April 1, 2030
The April 2028 deadline for larger businesses is closer than it sounds. A serious cybersecurity audit requires scoping work, selecting an independent auditor, gathering documentation, running the audit itself, addressing findings, and preparing the certification. Businesses in the top revenue tier that start this process in late 2027 will be scrambling.
The regulation also requires businesses to update their service provider agreements to require vendors to cooperate with cybersecurity audits. If your contracts with data processors do not include that cooperation language, they are non-compliant as of now.
Rule 3: Automated decision-making technology (ADMT) rules (compliance by January 2027)
The ADMT rules are the most operationally complex of the three. Under the CCPA, ADMT is defined as any technology that processes personal information using computation to replace or substantially replace human decision-making. Substantially replacing human involvement means the output is used without meaningful human review. That means someone must actually understands the output, considers it alongside other information, and has authority to override the decision.
The rules apply when a business uses ADMT to make "significant decisions" about consumers. The regulation defines significant decisions as decisions that result in the provision or denial of financial or lending services, housing, education enrollment, employment or contracting opportunities, compensation, or healthcare services. If your business uses an algorithmic or model-driven system to make these kinds of decisions about California residents, the ADMT rules apply to you.
Businesses already using ADMT for significant decisions must comply by January 1, 2027. New uses beginning after that date must comply immediately.
Compliance means three things:
- Pre-use notice: Before collecting personal information for ADMT use (or before using existing data for ADMT), you must provide a prominent notice describing the purpose of the ADMT, how the consumer can opt out, how the system works, what personal information it uses, and what outputs it generates.
- Right to opt out: Consumers must be able to opt out of ADMT used for significant decisions. You need at least two opt-out methods, one of which reflects the primary way your business interacts with consumers. If a consumer opts out, you must have an alternative decision-making process available: either a human reviewer with authority to overturn the decision, or one of the narrow statutory exceptions.
- Right to access information about the ADMT: When responding to consumer access requests, you must provide plain-language explanations of the ADMT's purpose, logic, and how the output was used in their specific decision.
ADMT use for significant decisions also triggers a mandatory risk assessment under the second rule. The two obligations are linked.
Not sure which of these three rules applies to your business?
Our free assessment walks through the threshold questions for cybersecurity audits, risk assessments, and ADMT. It tells you what you need to have in place and by when.
Take the Free AssessmentWhat "significant risk" actually means for audit and assessment triggers
Both the cybersecurity audit and risk assessment obligations are scoped to businesses whose processing presents a "significant risk." That term does the heavy lifting in determining who is covered. The CPPA has not published a simple bright-line revenue threshold for these obligations in the same way ADMT has a clear set of use cases. The significant-risk standard is based on the nature and volume of the processing.
Practically speaking, if your business processes a substantial volume of California consumer personal information, handles sensitive categories like health data, financial records, or precise geolocation, or sells or shares data with third parties for advertising purposes, you should assume you meet the threshold and work backward from there. Assuming you do not meet it and finding out during an investigation is a much worse position.
The enforcement context: these rules landed during an active enforcement wave
The timing matters. These regulations took final effect while the CPPA was actively fining businesses for separate violations. Ford's $375,703 fine for opt-out friction and PlayOn's $1.1 million penalty for dark patterns and fake opt-outs both landed in March 2026. The California Attorney General's $2.75 million CCPA settlement, described at the time as the largest in the statute's history, is part of the same period.
The CPPA is not treating enforcement as a future project. It is running investigations and issuing fines while simultaneously watching the new compliance deadlines approach for the companion regulations. Businesses that are still in a "wait and see" posture on the cybersecurity audit, risk assessment, and ADMT rules are making that calculation in an environment where the agency has already demonstrated it will act.
Three things to do before the end of Q2 2026
You do not need a comprehensive compliance roadmap today. You need to know where you stand. Here is a concrete starting point:
1) Map your processing activities against the risk assessment triggers
The risk assessment requirement is already in effect. Pull together a list of your data processing activities and check them against the trigger categories: targeted advertising, selling or sharing personal information, profiling with significant effects, processing sensitive personal information, ADMT for significant decisions. If any of those apply, you need a documented assessment underway, not planned.
2) Audit your vendor contracts for cooperation language
The regulations require service provider agreements to include provisions obligating vendors to assist with cybersecurity audits, risk assessments, and ADMT compliance. Most contracts signed before September 2025 do not have this language. Work through your data processing agreements and get the updates in place. This is a contract management problem as much as a compliance problem.
3) Inventory your ADMT systems and decision workflows
If you use any automated or algorithmic system to make or influence decisions about consumers in the significant-decision categories, map those systems now. The January 2027 compliance date for ADMT feels distant, but the pre-use notice and opt-out infrastructure are not trivial to build, especially if the ADMT is embedded in a third-party platform your team does not fully control.
The CCPA Audit Readiness Kit covers all three of these rules
The kit includes risk assessment templates, cybersecurity audit preparation checklists, ADMT inventory worksheets, and vendor contract language. Everything you need to turn these regulations into a manageable workplan rather than a compliance crisis.
Get the Complete Kit - $497My take: the excuse window is closed
For years, businesses could reasonably say these rules were not final. Legal teams could point to open comment periods and ongoing revisions as reasons to hold off on building compliance programs. That argument does not exist anymore.
The cybersecurity audit, risk assessment, and ADMT rules are signed, effective, and backed by an agency that has shown it is willing to issue substantial fines on unrelated matters during the same period. The only remaining question for most businesses is how far behind they are and how quickly they can close the gap.
Sources: CPPA Board, July 24, 2025 adoption; California Office of Administrative Law approval, September 23, 2025; CPPA official regulation summary at cppa.ca.gov/regulations/ccpa_updates.html.