CPPA Adopts Lengthy Awaited Rulemaking Package deal

by Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen

Left to proper: Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen (images courtesy of Debevoise & Plimpton LLP)

The California Privateness Safety Company (the “CPPA”) Board met on July 24, 2025, to determine whether or not to undertake its complete rulemaking bundle masking cybersecurity audits, automated decision-making know-how, and different changes to its current rules (collectively, the “Draft Laws”). Now we have written about these matters in December 2024, February 2025, and Might 2025 respectively. Finally, after its preliminary 45-day remark interval and extra revisions, the Board determined to finalize the textual content of the rulemaking bundle (the “Laws”).

Now that the Laws have been accepted, it’s doubtless that the CPPA’s enforcement priorities will shift away from simply on-line monitoring know-how to cybersecurity governance obligations and automatic decision-making-related shopper rights. This weblog submit highlights a few of the new obligations within the Laws, particularly the ultimate cybersecurity audit necessities and modifications to the scope of the automated decision-making necessities.

The subsequent step within the rulemaking course of can be for the CPPA to ship the ultimate textual content of the principles to the California Workplace of Administrative Regulation. If the CPPA submits the ultimate textual content by August 31, 2025, the rules would doubtless take impact on October 1, 2025. In any other case, if the ultimate textual content is submitted after August 31, 2025, it’s going to doubtless take impact on January 1, 2026.

Whereas sure of the Laws will take impact instantly, such because the changes to the present rules, the automated decision-making know-how (“ADMT”) necessities won’t take impact till 2027. Relying on the group, the cybersecurity audit necessities could have a phased implementation interval with necessities for sure companies taking impact as quickly as 2028, for a cybersecurity audit masking 2027, however for different companies not taking impact till 2030.

Companies ought to contemplate whether or not they use ADMT such that they might be in scope of the Laws, and whether or not they can depend on the finalized exemptions to the opt-out necessities. They need to additionally contemplate whether or not the cybersecurity audit necessities apply to them, decide whether or not sure requirements and controls in place meet the audit necessities, and formulate a plan to construct the audit necessities into their cybersecurity applications. Companies which are already conducting cybersecurity audits ought to contemplate the way to leverage current frameworks to fulfill this new requirement.

The Laws present that each enterprise whose processing of shoppers’ private info presents important danger to shoppers’ safety should full a cybersecurity audit. This stays the identical as within the preliminary Draft Laws: the enterprise meets this threshold if it “(A) [p]rocessed the private info of 250,000 or extra shoppers or households within the previous calendar 12 months; or (B) [p]rocessed the delicate private info of fifty,000 or extra shoppers within the previous calendar 12 months.”

One departure from the Draft Laws is that there’s now much less board involvement within the cybersecurity audit course of. The Laws now solely require that auditors report back to a member of the enterprise’s government administration crew moderately than the enterprise’s board of administrators.

The Laws additionally add further element to the cybersecurity audit report necessities as in comparison with the Draft Laws. Below the Laws, the report should describe the enterprise’s info system; and determine the insurance policies, procedures, and practices that the cybersecurity audit assessed; the factors used for the cybersecurity audit; and the particular proof examined to make choices and assessments, reminiscent of paperwork reviewed, sampling and testing carried out, and interviews carried out. The cybersecurity audit report should additionally clarify why assessing these insurance policies, procedures, and practices; utilizing these standards; and inspecting that particular proof justify the auditor’s findings.

The Laws provide extra flexibility to the auditor than the Draft Laws. Below the Laws, the auditor has the power to find out which elements of a cybersecurity program are relevant to the enterprise. The place relevant, the audit report should assess the next parts:

• Authentication;
• Encryption of private info, at relaxation and in transit;
• Account administration and entry controls;
• Stock and administration of private info and the enterprise’s info system;
• Safe configuration of {hardware} and software program;
• Inside and exterior vulnerability scans, penetration testing, and vulnerability disclosure and reporting (e.g., bug bounty and moral hacking applications);
• Audit-log administration, together with the centralized storage, retention, and monitoring of logs;
• Community monitoring and defenses;
• Antivirus and antimalware protections;
• Segmentation of an info system (e.g., by way of correctly configured firewalls, routers, switches);
• Limitation and management of ports, companies, and protocols;
• Cybersecurity consciousness, together with how the enterprise maintains present information of fixing cybersecurity threats and countermeasures;
• Cybersecurity training, and coaching, together with: coaching for every worker,

impartial contractor, and another personnel to whom the enterprise supplies entry to its info system (e.g., when their employment or contract begins, yearly thereafter, and after a private info safety breach);

• Safe growth and coding greatest practices, together with code-reviews and testing;
• Oversight of service suppliers, contractors, and third events;
• Retention schedules and correct disposal of private info not required to be retained, by (1) shredding, (2) erasing, or (3) in any other case modifying the private info in these information to make it unreadable or undecipherable by way of any means;
• How the enterprise manages its responses to safety incidents; and
• Enterprise-continuity and disaster-recovery plans, together with data-recovery capabilities and backups.

As mentioned in our earlier weblog submit, the report should additionally:

• Determine gaps or weaknesses within the cybersecurity program and doc the plans to handle them, together with the timeframe for addressing them;
• Tackle the standing of any recognized gaps and weaknesses; and
• Determine any corrections or amendments to any prior audits.

A enterprise that’s required to finish a cybersecurity audit should present a written certification of compliance to the CPPA by April 1^st of the next 12 months to which the annual cybersecurity audit pertains. The written certification have to be electronically signed by a member of the enterprise’s government administration crew who’s immediately accountable for the enterprise’s cybersecurity-audit compliance, has enough information of the enterprise’s cybersecurity audit to supply correct info, and has the authority to submit the enterprise’s certification.

The Laws add important obligations for companies that use ADMT together with the suitable to decide out of ADMT in some circumstances, pre-collection disclosures, a proper to entry further details about a enterprise’s use of ADMT, and danger assessments.

The CPPA considerably narrowed the scope of the Laws for the reason that Draft Laws and the Laws cowl ADMT, moderately than synthetic intelligence extra broadly. Moreover, the CPPA modified the scope of what it considers to be ADMT. Notably, the CPPA narrowed the scope of ADMT such that the know-how should considerably exchange human decision-making moderately than simply facilitate human resolution making. Below the Laws, to interchange human decision-making means a choice with out human evaluate, the place a human evaluate means understanding the way to interpret and use the know-how’s output to make the choice; reviewing and analyzing the output of the know-how, and another info that’s related to make or change the choice; and having the authority to make or change the choice based mostly on their evaluation. In different phrases, the Laws require precise human involvement within the resolution being made to keep away from being thought-about ADMT.  

Whereas companies throughout the scope of the ADMT necessities nonetheless should adjust to onerous disclosure and shopper rights obligations, the narrowed scope of ADMT will place many makes use of of AI that fall in need of changing human decision-making outdoors the scope of the Laws.

Additional, the Laws modified however retained sure exemptions to the opt-out necessities discovered within the Draft Laws, particularly the place (a) the enterprise supplies the patron with a way to attraction the choice to a human reviewer; (b) for admission, acceptance, or hiring choices with sure safeguards; and (c) for allocation and task of labor and compensation choices. These use circumstances are nonetheless topic to the Regulation’s discover and entry necessities. The Laws eliminated the safety, fraud prevention, and security exemption discovered within the Draft Laws.

Avi Gesser is a Companion, Johanna N. Skrzypczyk is Counsel, and HJ Brehmer and Melyssa Eigen are Associates at Debevoise & Plimpton LLP. This submit first appeared on the agency’s weblog.

The views, opinions and positions expressed inside all posts are these of the creator(s) alone and don’t signify these of the Program on Company Compliance and Enforcement (PCCE) or of the New York College Faculty of Regulation. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this web site and won’t be liable any errors, omissions or representations. The copyright of this content material belongs to the creator(s) and any legal responsibility on the subject of infringement of mental property rights stays with the creator(s).

by Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen

Left to proper: Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen (images courtesy of Debevoise & Plimpton LLP)

The California Privateness Safety Company (the “CPPA”) Board met on July 24, 2025, to determine whether or not to undertake its complete rulemaking bundle masking cybersecurity audits, automated decision-making know-how, and different changes to its current rules (collectively, the “Draft Laws”). Now we have written about these matters in December 2024, February 2025, and Might 2025 respectively. Finally, after its preliminary 45-day remark interval and extra revisions, the Board determined to finalize the textual content of the rulemaking bundle (the “Laws”).

Now that the Laws have been accepted, it’s doubtless that the CPPA’s enforcement priorities will shift away from simply on-line monitoring know-how to cybersecurity governance obligations and automatic decision-making-related shopper rights. This weblog submit highlights a few of the new obligations within the Laws, particularly the ultimate cybersecurity audit necessities and modifications to the scope of the automated decision-making necessities.

The subsequent step within the rulemaking course of can be for the CPPA to ship the ultimate textual content of the principles to the California Workplace of Administrative Regulation. If the CPPA submits the ultimate textual content by August 31, 2025, the rules would doubtless take impact on October 1, 2025. In any other case, if the ultimate textual content is submitted after August 31, 2025, it’s going to doubtless take impact on January 1, 2026.

Whereas sure of the Laws will take impact instantly, such because the changes to the present rules, the automated decision-making know-how (“ADMT”) necessities won’t take impact till 2027. Relying on the group, the cybersecurity audit necessities could have a phased implementation interval with necessities for sure companies taking impact as quickly as 2028, for a cybersecurity audit masking 2027, however for different companies not taking impact till 2030.

Companies ought to contemplate whether or not they use ADMT such that they might be in scope of the Laws, and whether or not they can depend on the finalized exemptions to the opt-out necessities. They need to additionally contemplate whether or not the cybersecurity audit necessities apply to them, decide whether or not sure requirements and controls in place meet the audit necessities, and formulate a plan to construct the audit necessities into their cybersecurity applications. Companies which are already conducting cybersecurity audits ought to contemplate the way to leverage current frameworks to fulfill this new requirement.

The Laws present that each enterprise whose processing of shoppers’ private info presents important danger to shoppers’ safety should full a cybersecurity audit. This stays the identical as within the preliminary Draft Laws: the enterprise meets this threshold if it “(A) [p]rocessed the private info of 250,000 or extra shoppers or households within the previous calendar 12 months; or (B) [p]rocessed the delicate private info of fifty,000 or extra shoppers within the previous calendar 12 months.”

One departure from the Draft Laws is that there’s now much less board involvement within the cybersecurity audit course of. The Laws now solely require that auditors report back to a member of the enterprise’s government administration crew moderately than the enterprise’s board of administrators.

The Laws additionally add further element to the cybersecurity audit report necessities as in comparison with the Draft Laws. Below the Laws, the report should describe the enterprise’s info system; and determine the insurance policies, procedures, and practices that the cybersecurity audit assessed; the factors used for the cybersecurity audit; and the particular proof examined to make choices and assessments, reminiscent of paperwork reviewed, sampling and testing carried out, and interviews carried out. The cybersecurity audit report should additionally clarify why assessing these insurance policies, procedures, and practices; utilizing these standards; and inspecting that particular proof justify the auditor’s findings.

The Laws provide extra flexibility to the auditor than the Draft Laws. Below the Laws, the auditor has the power to find out which elements of a cybersecurity program are relevant to the enterprise. The place relevant, the audit report should assess the next parts:

• Authentication;
• Encryption of private info, at relaxation and in transit;
• Account administration and entry controls;
• Stock and administration of private info and the enterprise’s info system;
• Safe configuration of {hardware} and software program;
• Inside and exterior vulnerability scans, penetration testing, and vulnerability disclosure and reporting (e.g., bug bounty and moral hacking applications);
• Audit-log administration, together with the centralized storage, retention, and monitoring of logs;
• Community monitoring and defenses;
• Antivirus and antimalware protections;
• Segmentation of an info system (e.g., by way of correctly configured firewalls, routers, switches);
• Limitation and management of ports, companies, and protocols;
• Cybersecurity consciousness, together with how the enterprise maintains present information of fixing cybersecurity threats and countermeasures;
• Cybersecurity training, and coaching, together with: coaching for every worker,

impartial contractor, and another personnel to whom the enterprise supplies entry to its info system (e.g., when their employment or contract begins, yearly thereafter, and after a private info safety breach);

• Safe growth and coding greatest practices, together with code-reviews and testing;
• Oversight of service suppliers, contractors, and third events;
• Retention schedules and correct disposal of private info not required to be retained, by (1) shredding, (2) erasing, or (3) in any other case modifying the private info in these information to make it unreadable or undecipherable by way of any means;
• How the enterprise manages its responses to safety incidents; and
• Enterprise-continuity and disaster-recovery plans, together with data-recovery capabilities and backups.

As mentioned in our earlier weblog submit, the report should additionally:

• Determine gaps or weaknesses within the cybersecurity program and doc the plans to handle them, together with the timeframe for addressing them;
• Tackle the standing of any recognized gaps and weaknesses; and
• Determine any corrections or amendments to any prior audits.

A enterprise that’s required to finish a cybersecurity audit should present a written certification of compliance to the CPPA by April 1^st of the next 12 months to which the annual cybersecurity audit pertains. The written certification have to be electronically signed by a member of the enterprise’s government administration crew who’s immediately accountable for the enterprise’s cybersecurity-audit compliance, has enough information of the enterprise’s cybersecurity audit to supply correct info, and has the authority to submit the enterprise’s certification.

The Laws add important obligations for companies that use ADMT together with the suitable to decide out of ADMT in some circumstances, pre-collection disclosures, a proper to entry further details about a enterprise’s use of ADMT, and danger assessments.

The CPPA considerably narrowed the scope of the Laws for the reason that Draft Laws and the Laws cowl ADMT, moderately than synthetic intelligence extra broadly. Moreover, the CPPA modified the scope of what it considers to be ADMT. Notably, the CPPA narrowed the scope of ADMT such that the know-how should considerably exchange human decision-making moderately than simply facilitate human resolution making. Below the Laws, to interchange human decision-making means a choice with out human evaluate, the place a human evaluate means understanding the way to interpret and use the know-how’s output to make the choice; reviewing and analyzing the output of the know-how, and another info that’s related to make or change the choice; and having the authority to make or change the choice based mostly on their evaluation. In different phrases, the Laws require precise human involvement within the resolution being made to keep away from being thought-about ADMT.  

Whereas companies throughout the scope of the ADMT necessities nonetheless should adjust to onerous disclosure and shopper rights obligations, the narrowed scope of ADMT will place many makes use of of AI that fall in need of changing human decision-making outdoors the scope of the Laws.

Additional, the Laws modified however retained sure exemptions to the opt-out necessities discovered within the Draft Laws, particularly the place (a) the enterprise supplies the patron with a way to attraction the choice to a human reviewer; (b) for admission, acceptance, or hiring choices with sure safeguards; and (c) for allocation and task of labor and compensation choices. These use circumstances are nonetheless topic to the Regulation’s discover and entry necessities. The Laws eliminated the safety, fraud prevention, and security exemption discovered within the Draft Laws.

Avi Gesser is a Companion, Johanna N. Skrzypczyk is Counsel, and HJ Brehmer and Melyssa Eigen are Associates at Debevoise & Plimpton LLP. This submit first appeared on the agency’s weblog.

The views, opinions and positions expressed inside all posts are these of the creator(s) alone and don’t signify these of the Program on Company Compliance and Enforcement (PCCE) or of the New York College Faculty of Regulation. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this web site and won’t be liable any errors, omissions or representations. The copyright of this content material belongs to the creator(s) and any legal responsibility on the subject of infringement of mental property rights stays with the creator(s).