New privacy regulations provide insights into California’s approach to ADMT, cybersecurity audits, and risk assessments, while amendments impact compliance with consumer rights obligations.

By Michael H. Rubin, Jennifer Howes, Austin Anderson, Eric Gonzalez, and Sherry Tseng

Long-awaited revisions to the California Consumer Privacy Act (CCPA) Regulations were recently approved by the California Office of Administrative Law on September 22, 2025. These revisions come after a year-long process of debate and public comment and will take effect on January 1, 2026 (with some provisions delayed until 2027).

While the California Privacy Protection Agency (CPPA) focused the majority of the revised regulations on introducing new obligations related to automated decisionmaking technology (ADMT), cybersecurity audits, and risk assessments, it also amended existing regulations to expand and clarify other requirements.

We summarize the key requirements under the revised regulations in this article.