California CCPA Updates: What Businesses Need to Know After CPPA’s July 2025 Vote

On July 24, 2025, the California Privacy Protection Agency (CPPA) unanimously voted to adopt significant regulatory updates to the California Consumer Privacy Act (CCPA). These updates introduce strict requirements around Automated Decision-Making Technology (ADMT), cybersecurity audits, risk assessments, and clarifications for insurance companies.

Before these rules take effect, they will undergo review by the California Office of Administrative Law. However, organizations cannot afford to wait. The scope and complexity of these updates mean businesses must begin preparing immediately.

Key Regulatory Updates

1. Automated Decision-Making Technology (ADMT)

The CPPA has expanded ADMT requirements to ensure greater transparency and accountability.

• Broad Coverage: AI, machine learning, and even rule-based systems such as spreadsheets and databases fall under the new rules when used in critical areas like healthcare, employment, credit and lending, housing, education, or contracting.
  
  
• Consumer Rights: Businesses must provide clear, pre-use disclosures and give consumers the right to opt-out. A structured appeals mechanism with human oversight must also be established.
  
  
• Risk Assessments and Recordkeeping: Companies must conduct in-depth risk assessments at both training and deployment stages, maintain detailed records of disclosures and consumer requests, and update vendor agreements to align with compliance requirements.

2. Cybersecurity Audits

Cybersecurity audits are now mandatory, with timelines tied to business size:

• Annual gross revenue ≥ $100M: Effective April 1, 2028
  
  
• Annual gross revenue $50M–$100M: Effective April 1, 2029
  
  
• Annual gross revenue < $50M: Effective April 1, 2030
  

Audit reports must include detailed documentation of policies, procedures, criteria, and evidence reviewed. This ensures businesses can demonstrate proactive protection of consumer data.

3. Risk Assessments

High-risk data processing will require businesses to conduct ongoing risk assessments. Beginning April 1, 2028, organizations must submit annual attestations confirming that assessments were conducted in the prior year.

This mandate underscores the state’s shift toward continuous accountability, not just one-time compliance.

4. Clarifications for Insurance Companies

The CPPA has specifically addressed how CCPA obligations apply to insurance companies. This clarification closes gaps in interpretation and ensures consistent consumer protections across the industry.

Compliance Timeline at a Glance

• ADMT Compliance: January 1, 2027
  
  
• Cybersecurity Audits: April 1, 2028–2030, depending on business size
  
  
• Risk Assessment Attestation: Annually from April 1, 2028

What Businesses Should Do Now

With deadlines approaching, businesses should begin implementing compliance strategies right away:

1. Inventory ADMT Use Cases

Catalog all automated decision-making tools currently in use and planned, including third-party solutions. Assess where they intersect with sensitive areas like healthcare, lending, and employment.

2.Strengthen Consumer Rights Processes

Design clear, accessible opt-out options and appeal mechanisms. Ensure consumers understand how automated decisions impact them through transparent disclosures.

3. Update Vendor Agreements

Amend contracts with third-party providers to require cooperation in data sharing, audit support, and compliance reporting. Vendors must play an active role in meeting obligations.

4. Implement Risk & Audit Frameworks

Develop structured processes for evaluating risks tied to high-risk data processing. Begin preparing for cybersecurity audits by reviewing policies, procedures, and security controls.

5. Enhance Recordkeeping Practices

Keep thorough logs of consumer disclosures, opt-out requests, appeals, and compliance activities. Strong documentation will serve as proof of accountability during regulatory reviews.

Final Thoughts

The CPPA’s July 2025 updates to the CCPA mark a decisive step toward stricter consumer protection and accountability in the age of AI and high-risk data processing. With deadlines looming as early as 2027, businesses must start compliance efforts now rather than waiting for formal enactment. 

Organizations that act early with the support of compliance-focused solutions like Redacto not only reduce the risk of regulatory penalties but also build consumer trust by demonstrating a commitment to privacy, transparency, and responsible use of technology.

FAQs

1. Why is the July 2025 CPPA vote significant?

It marks the first time CCPA directly regulates AI and automated decision-making, while also mandating annual audits and risk assessments. This shifts compliance from a one-time effort to an ongoing responsibility.

2. Why should businesses prepare now instead of waiting?

Because compliance requires system overhauls, contract updates, and strong recordkeeping. Waiting until deadlines approach will leave companies scrambling, while early adopters can avoid penalties and build consumer trust.

3. What changes around risk assessments should businesses expect?

Any high-risk data processing must undergo continuous risk reviews. Starting April 1, 2028, companies must submit annual attestations confirming that assessments were carried out in the previous year.

4. Do spreadsheets or databases really fall under ADMT rules?

Yes. If they are used to make or assist important decisions in areas like credit, hiring, housing, or healthcare, they qualify as ADMT and must follow the same disclosure and opt-out requirements as advanced AI systems.

5. Are cybersecurity audits a one-time requirement?

No. They will be ongoing and must include detailed documentation of security frameworks. Regulators expect proof that data protection practices are not only in place but consistently updated.