At its July 24, 2025 meeting, the Board of the California Privacy Protection Agency voted unanimously to finalize regulations on automated decisionmaking technology, risk assessments, cybersecurity audits, and other areas. The culmination of a years-long effort that began early in 2023, the rulemaking package will soon be submitted to the California Office of Administrative Law, which has thirty working days to review and approve the package. Pending legal challenges or delay from OAL's review, the regulations will take effect January 1, 2026

These rules represent a significant shift in the privacy, security and artificial intelligence regulation landscape. While the final rules are less expansive than earlier drafts, businesses will need to operationalize several new obligations under the regulations, including (but certainly not limited to):

• Honoring new consumer requests to access and opt-out of the use automated decisionmaking technology.
• Undergoing annual, independent cybersecurity audits and submitting a certificate of completion to the CPPA.
• Conducting risk assessments in a broad range of required scenarios, including when selling or sharing personal information.

More substantive analysis is to come. In the meantime, don't hesitate to reach out if you'd like to discuss these regulations.