Abstract building

30 September 2025

CCPA 2025 updated regulations: What’s new, what’s next, and what to do

Written by:Andrew SerwinMadison BucciChelsea Rissmiller

On September 23, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency (CPPA)’s new California Consumer Privacy Act (CCPA) regulations covering cybersecurity audits, risk assessments, automated decision-making technology (ADMT), insurance, and updates to some key existing CCPA rules. The updated regulations take effect January 1, 2026, with compliance for certain components spanning into 2028:

  • Risk-assessment duties begin January 1, 2026
  • ADMT requirements begin January 1, 2027
  • First risk-assessment submissions are due April 1, 2028
  • Cybersecurity audit certification deadlines beginning April 1, 2028 (for some businesses, see below)

Updates to existing CCPA regulations

Expanded right to know/access. If a business retains personal information for longer than 12 months, it must provide consumers with a method to submit a right-to-know request that includes access to personal information collected prior to the 12-month period preceding the business’s receipt of the request (going back to January 1, 2022). Under the updated regulations, businesses may either allow consumers to specify a date range for their right-to-know request or offer the option to request all personal information the business has collected about them.

Clarification on privacy policy disclosures. The original CCPA regulations required a business to disclose the categories of personal information disclosed to third parties in the preceding 12 months in its privacy policy. The updated regulations now require a disclosure of the categories of personal information that were disclosed to service providers and contractors in the preceding 12 months. If the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business must disclose that fact. If the business uses ADMT, it will have additional notice obligations and must provide additional rights under the 2025 CCPA regulations (see below for more information).

More illustrative examples for dark patterns. The updated regulations include additional details and examples to help spot “dark patterns,” and now specify that certain illustrative examples from the original regulations are now “requirements.”

Updated definition of “Sensitive Personal Information.” The updated regulations add a new category of “Sensitive Personal Information” for neural data “that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”

Notice of the Right to Limit enhanced. If applicable, a business must now also provide the Notice of Right to Limit in the same manner in which it collects the Sensitive Personal Information that it uses or discloses for purposes other than those specified by the CCPA (see Section 7027, subsection (m)). The updated regulations also add illustrative examples of uses/disclosures of Sensitive Personal Information that are not subject to the Right to Limit in the employment context (such as scanning employee email and use of biometric information for access to secured areas).

Opt-out preference signal indication required. Businesses must now provide a means for consumers to identify that their opt-out preference signal has been processed as a valid request to opt-out of sale/sharing by the businesses’ website. For example, the business may display on its website “Opt-Out Request Honored” when a browser, device, or consumer using an opt-out preference signal visits the website, and display through a toggle or radio button that the consumer has opted out of the sale/sharing of their personal information.

Article 9: New cybersecurity audits

Who must conduct cybersecurity audits. A business must complete a cybersecurity audit if its processing presents “significant risk” to consumers’ security, as determined by thresholds that take into account statutory “business” criteria and volume of processing – ie, businesses that 1) derive 50 percent or more of their annual revenue from selling or sharing consumers’ personal information or 2) have an annual gross revenue of $25 million in the preceding year and processed 250,000 or more consumers/households or 50,000 or more consumers’ sensitive personal information that year.

Timing and cadence. The first audit windows are fixed by revenue tiers, with the audit report due as follows:

Deadline

Annual gross revenue

April 1, 2028

2026 annual gross revenue more than $100 million

April 1, 2029

2027 annual gross revenue between $50 million and $100 million

April 1, 2030

2028 annual gross revenue less than $50 million

Thereafter, audits run annually without gaps, and the certification must be submitted each year by April 1.

Independence and scope. Audits must be conducted by a qualified, objective, independent auditor, applying professionally accepted procedures (eg, American Institute of Certified Public Accountants, Public Company Accounting Oversight Board, Information Systems Audit and Control Association, International Organization for Standardization). The regulations do not necessarily require a third-party auditor, and internal audits are acceptable so long as the business meets certain independence safeguards (including direct reporting lines to the executive management team). The regulations provide a non-exhaustive list of components that the audit (and the report) must include, to the extent applicable:

  • Implementation and maintenance of policies and procedures
  • Multi-factor authentication and password standards
  • Data encryption
  • Access controls
  • Data flows and classification
  • Hardware and software inventories and approval processes
  • Software updates/upgrades, patch management, and change management
  • Penetration testing, vulnerability scanning, etc.
  • Data loss prevention systems and other network monitoring technologies
  • System segmentation
  • Employee training
  • Business continuity and disaster recovery plans
  • Compliance enforcement

The audit report must also identify and describe any gaps, and the business’s plan to address those gaps, including the timeframe in which the business will resolve the gap. The updated regulations also require businesses to submit a written certification to the CPPA.

Retention of audit documentation. The business, and the auditor, must retain all relevant documentation for each audit for a minimum of five years.

Article 10: New risk assessments

When a risk assessment is required. Risk assessments are required before initiating any processing that presents a “significant risk to privacy.” The regulations enumerate the triggers, including but not limited to:

  • Selling or sharing personal information
  • Processing sensitive personal information (with limited carve-outs)
  • Using ADMT for a significant decision

Submissions to the Agency. Compliance with the risk-assessment duty begins January 1, 2026; the first submission is due April 1, 2028. The regulations spell out who must sign (designated executive), what the attestation must state, and the content required in the abridged summaries.

Article 11: New automated decision-making technology

Scope and compliance date. If a business uses ADMT to make significant decisions about a consumer, it must comply with Article 11. Compliance begins January 1, 2027 (or upon use thereafter).

Pre-use notice. Before processing personal information with ADMT for covered purposes, the business must provide a pre-use notice that clearly informs consumers of the use of ADMT and their rights to opt out of ADMT and to access ADMT. The notice must appear prominently at or before the point when personal information to be used with ADMT is collected or, if already collected for another purpose, before the ADMT use begins. It may be delivered within the notice at collection so long as all pre-use elements are present.

Opt-out of ADMT. Consumers must be offered two or more methods to opt out; at least one must match how the business primarily interacts with them (eg, an online form linked from the pre-use notice titled “Opt-out of Automated Decisionmaking Technology”). The updated regulations highlight that cookie banners alone are not sufficient because they address collection, not ADMT use. No account creation or full verification may be required to opt out (only information necessary to affect the request). If a consumer opts out after use begins, the business must stop within 15 business days and flow that opt-out to service providers/contractors. Businesses must wait 12 months before asking for a consumer to consent to resume ADMT.

Access to ADMT. Upon a request to access ADMT, businesses must explain, in plain language, the specific purpose, logic, and key parameters that affected outputs for that consumer, and how the output influenced the decision, including the role of any human involvement. Under certain conditions, a business may provide an aggregate-level summary of outputs and key parameters as described in the regulations.

The 2025 updated CCPA regulations mainly tighten practical duties businesses already had and layer on much anticipated requirements around cybersecurity audits, risk assessments, and ADMT. If you have questions about your business’s compliance posture or next steps, please contact DLA Piper’s Data Protection, Privacy and Security team or any of the authors of this article.

Related insights

Publication
hands using tablet

AI companion bots: Top points from recent FTC and government actions

15 September 2025 .10 minute read

Publication
Green circuit board

Proactive compliance as a service

11 September 2025 .2 minute read

Publication
Doctor using electronic devices for medical research

HHS steps up enforcement on health information blocking

10 September 2025 .4 minute read

Print

Related capabilities

Regulatory and Government AffairsData, Privacy and CybersecurityCompliance