The Privacy Police Are Here: Preparing Your Clients for California’s Mandatory Cybersecurity Audits and ADMT Rules

California’s New Era of Provable Privacy Compliance

The California Privacy Protection Agency (CPPA) has ushered in a new, formidable era of data protection with the finalization of its regulations on cybersecurity audits, automated decision-making, and risk assessments. Approved by the California Office of Administrative Law on September 22, 2025, these rules represent the most significant evolution in U.S. privacy law since the California Consumer Privacy Act (CCPA) first took effect.¹ This new regulatory package signals a fundamental and permanent shift away from a compliance framework based on “notice-and-choice” and toward a demanding regime of operationalized, evidence-based, and auditable technology governance.³ The era of relying on well-drafted privacy policies as the primary shield is over; the era of provable, demonstrable compliance has begun.

This paradigm shift is built upon three interconnected regulatory pillars that create a comprehensive system of accountability for businesses processing the data of California residents:

1. Mandatory Annual Cybersecurity Audits: For the first time, a U.S. privacy law mandates that businesses presenting a “significant risk” to consumer security must undergo an annual, independent, and evidence-based audit of their entire cybersecurity program. This requirement moves security from an internal IT function to a board-level compliance and risk management imperative.
2. Automated Decision-Making Technology (ADMT) Governance: California is now the first U.S. jurisdiction to grant consumers specific, actionable rights—including notice, access, and opt-out—concerning the use of algorithms and artificial intelligence for high-stakes decisions affecting their lives and livelihoods.
3. Mandatory Risk Assessments: Serving as the foundational connective tissue for the entire framework, these assessments compel businesses to proactively identify, analyze, and mitigate privacy risks before engaging in high-risk data processing activities, including those that trigger the audit and ADMT obligations.⁴

For corporate counsel and their outside advisors, these regulations must be viewed as more than a mere compliance update. They represent a critical risk management challenge and a significant opportunity to provide high-value strategic guidance. The CPPA and the California Attorney General have demonstrated their willingness to be active enforcers, and these rules provide them with a new, sharper set of teeth for investigations and administrative actions.⁶ Understanding the granular details and strategic implications of this new framework is no longer optional—it is essential for any business operating in the world’s fifth-largest economy. The complex and staggered compliance deadlines demand immediate attention and strategic planning.

To provide immediate clarity, the following table synthesizes the key compliance dates into a single, actionable calendar for counsel to use in planning and client advisories.

Regulation/Requirement	Key Action Required	Compliance Deadline
ADMT Compliance	Full compliance with Notice, Opt-Out, and Access rights for all in-scope ADMT use.	January 1, 2027
Risk Assessments (Ongoing Activities)	Conduct and document risk assessments for high-risk processing activities that began before Jan 1, 2026.	December 31, 2027
Cybersecurity Audit (> $100M Revenue)	Submit first annual certification to the CPPA for the 2027 audit year.	April 1, 2028
Risk Assessment Submission (First Filing)	Submit attestation of completion and summary of assessments for 2026-2027 to the CPPA.	April 1, 2028
Cybersecurity Audit ($50M–$100M Revenue)	Submit first annual certification to the CPPA for the 2028 audit year.	April 1, 2029
Cybersecurity Audit (< $50M Revenue)	Submit first annual certification to the CPPA for the 2029 audit year.	April 1, 2030

Sources: ²

II. The Auditor at the Gates: Deconstructing the Annual Cybersecurity Audit Mandate

The centerpiece of the new regulations is the requirement for certain businesses to conduct an annual cybersecurity audit. This is not a simple self-assessment but a formal, independent evaluation designed to verify the effectiveness of a company’s entire cybersecurity program. The mandate transforms cybersecurity from a best practice into a legally required, auditable, and enforceable obligation.

A. Threshold Analysis: Determining “Significant Risk” for Your Client

The audit requirement is not universal; it applies only to businesses whose processing of personal information presents a “significant risk to consumers’ security”.⁹ The regulations establish a clear, two-prong test to determine applicability. A business must conduct an audit if it meets the criteria of either prong.

Prong 1: The Revenue Model Test

A business is subject to the audit requirement if it derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.11 This prong is designed to capture businesses whose core model is based on the monetization of data, such as data brokers, ad-tech firms, and certain consumer-facing platforms.

Prong 2: The Revenue and Volume Test

Alternatively, a business is subject to the audit requirement if it meets a general revenue threshold and processes a high volume of personal information. Both conditions of this prong must be met:

1. Revenue Condition: The business has annual gross revenues exceeding the CCPA’s jurisdictional threshold (currently $25 million, adjusted biennially for inflation) in the preceding calendar year.⁹
2. Volume Condition: The business annually processes either:

• The personal information of 250,000 or more California consumers or households ⁴; OR
• The sensitive personal information of 50,000 or more California consumers.¹⁰

This second prong captures large-scale enterprises that, while not primarily data brokers, handle a significant volume of consumer data as part of their operations, such as major retailers, financial institutions, and healthcare providers.

To assist counsel in this critical initial analysis, the following checklist provides a structured diagnostic tool.

Cybersecurity Audit Applicability Checklist	Yes/No
Prong 1: Revenue Model Test
1. Does the business derive 50% or more of its annual revenue from selling or sharing consumers’ personal information?
Prong 2: Revenue and Volume Test
2a. Did the business’s annual gross revenue in the preceding calendar year exceed the CCPA threshold (>$25M, as adjusted)?
2b. In the preceding calendar year, did the business process the personal information of 250,000+ CA consumers/households OR the sensitive personal information of 50,000+ CA consumers?
Conclusion: If the answer to Question 1 is ‘Yes,’ OR if the answers to both Questions 2a and 2b are ‘Yes,’ the business is likely required to conduct an annual cybersecurity audit.

This threshold analysis is the crucial first step. A misinterpretation could lead a client to either unnecessarily incur the significant expense of an audit or, more perilously, fail to conduct a required audit, exposing it to severe enforcement penalties.

B. The Audit Blueprint: Scope, Standards, and Substance

For businesses that meet the threshold, the regulations prescribe a detailed and rigorous audit process. The core principle underpinning the audit is the move to an evidence-based standard, explicitly designed to prevent superficial compliance.

A revolutionary aspect of the rule is the prohibition on primary reliance on management assertions.³ The auditor cannot simply take the company’s word that controls are in place and effective. Instead, the audit findings must be primarily based on the auditor’s independent review of objective evidence, which may include technical testing, document review, sampling of controls, and interviews with key personnel.¹⁰ This requirement for independent verification is a sea change from many existing compliance frameworks.

The scope of the audit is comprehensive, requiring an assessment of the business’s entire cybersecurity program as it pertains to protecting personal information. The regulations specify at least 18 components that must be assessed, if applicable. These components form a detailed blueprint of a modern, mature cybersecurity program and include, among others ⁹:

• Authentication and Access Controls: Including the implementation of phishing-resistant multi-factor authentication (MFA) for employees, contractors, and service providers.
• Encryption: Verifying the encryption of personal information both at rest and in transit.
• Information Asset Management: Maintaining a comprehensive inventory of personal information and the systems that process it.
• Vulnerability Management: Conducting regular vulnerability scanning and independent penetration testing.
• Logging and Monitoring: Implementing and maintaining robust audit log management to detect and respond to security events.
• Incident Response: Establishing and testing a comprehensive incident response management plan.
• Data Retention and Disposal: Enforcing defined data retention schedules and secure disposal practices.

Crucially, the audit is not a pass/fail exercise with a static outcome. The regulations include a remediation mandate, requiring the final audit report to not only identify any gaps or weaknesses in the cybersecurity program but also to document the business’s concrete plan to address those issues, including a specific timeframe for remediation.¹¹ This creates a formal, documented record of a company’s security posture, its identified deficiencies, and its commitment to improvement—a record that will be of immense interest to regulators in any future investigation.

The codification of these specific security controls has a profound secondary effect beyond the audit itself. The CCPA’s private right of action for data breaches, which allows for statutory damages of up to $750 per consumer per incident, is triggered when a breach is caused by a business’s failure to implement and maintain “reasonable security procedures and practices”.¹⁷ For years, the definition of “reasonable security” has been frustratingly ambiguous, shaped largely by the outcomes of post-breach litigation and enforcement actions. These new audit regulations effectively end that ambiguity. The CPPA has provided a detailed, regulator-endorsed checklist of what constitutes “reasonable security” for high-risk data processors in California.¹¹

This development dramatically alters the legal calculus for data breach risk management. In the aftermath of a breach, a plaintiff’s attorney now has a clear and powerful roadmap for discovery. The first questions will be: “Was your client required to conduct a cybersecurity audit? Did that audit verify the effective implementation of these 18+ controls? Please produce the independent audit report.” A business that can produce a clean audit report will have a formidable defense, demonstrating that it met the state’s prescribed standard of care. Conversely, a business that failed to conduct a required audit, or whose audit report reveals significant, un-remediated gaps, may find itself with little defense against claims that it failed to maintain reasonable security, potentially turning the audit report into a plaintiff’s most valuable piece of evidence.

C. The Independent Eye: Auditor Qualifications and Selection

To ensure the integrity of this process, the regulations impose strict requirements on the individuals or firms that can perform the audit. The auditor must be “qualified, objective, and independent”.¹¹

The rules provide flexibility, allowing the auditor to be either an external third party or an internal employee.¹⁰ However, this flexibility comes with a critical structural safeguard designed to ensure objectivity. If a business chooses to use an internal auditor, that individual is subject to the Reporting Line Rule: they must report directly to the business’s board of directors, a governing body, or a C-suite executive who does not have direct responsibility for the cybersecurity program.⁹ This is a crucial requirement intended to prevent the Chief Information Security Officer (CISO) or equivalent from overseeing their own audit, thereby mitigating potential conflicts of interest and ensuring the audit’s findings are not unduly influenced by the very department being assessed.

Regardless of whether the auditor is internal or external, they must possess demonstrable knowledge of cybersecurity and auditing standards. Furthermore, the auditor must personally certify in the final report that the audit was conducted independently and impartially, based on their own objective analysis of the evidence.¹⁴ This personal attestation places the professional reputation of the auditor on the line, adding another layer of accountability to the process.

D. The Compliance Roadmap: Timelines and Certification

The CPPA has established a staggered, multi-year timeline for the initial audit certification, based on a business’s annual revenue from the preceding calendar year. This phased approach provides businesses with a runway to prepare, but the deadlines are firm and require long-term planning.²

• April 1, 2028: The deadline for businesses with annual gross revenue exceeding $100 million in 2026 to submit their first certification. This audit must cover the 2027 calendar year.
• April 1, 2029: The deadline for businesses with annual gross revenue between $50 million and $100 million in 2027. This audit must cover the 2028 calendar year.
• April 1, 2030: The deadline for businesses with annual gross revenue under $50 million in 2028 (but still meeting the applicability thresholds). This audit must cover the 2029 calendar year.

After the initial audit, the requirement becomes annual, with a certification due to the CPPA by April 1 of each subsequent year.¹⁰ This certification is not a perfunctory filing. It must be signed by a member of the business’s executive management team or board of directors, who personally attests to the audit’s completion and the accuracy of its contents.¹⁶ This requirement for executive attestation ensures that accountability for cybersecurity compliance reaches the highest levels of the organization.

III. Taming the Algorithm: Navigating the New Rules for Automated Decision-Making (ADMT)

In a landmark move, the CPPA’s regulations establish the first comprehensive governance framework for the use of automated systems and artificial intelligence in the United States. These rules grant California consumers unprecedented transparency and control when businesses use technology to make high-stakes decisions about them. The compliance obligations are complex and hinge on a series of precise, highly consequential definitions.

A. Defining the Battlefield: What Constitutes ADMT for a “Significant Decision”

The applicability of the ADMT rules is narrowly tailored. The obligations are triggered only when a business uses Automated Decision-Making Technology to make a “Significant Decision” concerning a consumer.¹⁸

The final definition of ADMT is “any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making”.¹⁸ This definition was notably narrowed during the rulemaking process. Earlier, more expansive drafts that included technology which merely “facilitated” or “substantially facilitated” human decisions were rejected in favor of this higher standard, providing a clearer line for businesses.²⁰

The scope is further limited by the definition of a “Significant Decision.” This term covers decisions that have a material impact on a consumer’s life, resulting in the provision or denial of critical services or opportunities. The regulations specifically enumerate these categories, which include financial and lending services, housing, insurance, education enrollment, employment or independent contracting opportunities and compensation, and healthcare services.¹⁸

The most critical element of the ADMT definition, and the primary avenue for businesses to manage their compliance burden, is the concept of “Meaningful Human Review.” The regulations clarify that a technology “substantially replaces” human decision-making only when it is used to make a decision without human involvement.⁹ This creates a crucial safe harbor for businesses that implement a robust human-in-the-loop process. To qualify for this exception and avoid triggering the full suite of ADMT obligations, a business’s human review process must satisfy a rigorous three-part test ⁹:

1. Competence: The human reviewer must know how to interpret the technology’s output. This implies a need for training and expertise.
2. Holistic Consideration: The reviewer must consider the technology’s output alongside other relevant information and affirmatively conduct a review, rather than simply rubber-stamping the system’s recommendation.
3. Authority: The reviewer must have the actual authority to change, override, or disregard the technology’s decision based on their own analysis.

This exception will have profound operational consequences. It creates a powerful incentive for businesses to design their AI-driven workflows to fall within this safe harbor. However, relying on this exception is not a simple matter of legal interpretation; it requires the creation of a defensible, evidence-based process. Companies will need to be able to prove, if challenged by regulators, that their human review is not a sham but a genuinely robust process that meets all three prongs of the test. This will necessitate rigorous documentation of reviewer training protocols, process flowcharts that detail the role of the human reviewer, and records of instances where human reviewers have overridden the ADMT’s output. Consequently, a new field of advisory services focused on “AI process auditing” is likely to emerge, where legal and technical experts are called upon to design, validate, and certify that a company’s human review process is legally sufficient to withstand regulatory scrutiny. Counsel should prepare to advise clients not just on the letter of the law, but on how to build the operational and evidentiary record necessary to defend their reliance on this critical exception.

B. A New Bill of Rights: Consumer Control Over ADMT

If a business’s process is determined to be ADMT for a significant decision (i.e., it does not qualify for the “meaningful human review” safe harbor), it triggers a powerful new set of consumer rights, creating a trifecta of transparency and control.

1. The Pre-Use Notice: Before collecting personal information that will be used in an ADMT system, or before using previously collected information for such a purpose, businesses must provide consumers with a clear, prominent, and easy-to-understand notice. This notice can be incorporated into the business’s existing CCPA notice at collection but must contain specific information about the ADMT, including ¹⁸:

• The specific purpose(s) for which the ADMT will be used.
• A plain-language description of how the ADMT works, which may include the key factors or parameters that influence its output.
• A clear statement of the consumer’s right to opt-out of the ADMT’s use and their right to access information about it.

2. The Right to Opt-Out: Businesses must provide consumers with an easy-to-use mechanism to opt out of the use of their personal information in ADMT for significant decisions.¹⁸ This right is not absolute and is subject to a few narrow, but important, exceptions. The most significant exception is that a business is not required to provide an opt-out if it instead offers a human-led appeal process. To qualify for this exception, the business must clearly describe a method by which a consumer can appeal the ADMT’s decision to a human reviewer who has the authority to overturn the automated outcome.⁶ Other very narrow exceptions apply in specific contexts related to hiring, admissions, and work allocation, but only if the ADMT is used solely to assess a consumer’s ability to perform a task and has been shown to be effective and non-discriminatory.⁶
3. The Right to Access: Upon receiving a verifiable consumer request, a business must provide the consumer with “meaningful information” about how ADMT was used to make a significant decision concerning them. This goes beyond a simple confirmation of use and must include ¹⁸:

• The specific purpose for which the ADMT was used in relation to that consumer.
• Information about the logic of the ADMT, such as the key variables or parameters that affected the output.
• The outcome of the decision and a description of how the ADMT’s output was used in reaching that outcome. Businesses may withhold information that constitutes a trade secret, but they cannot refuse to disclose the required information on that basis alone.

C. The January 1, 2027 Deadline: Preparing for Go-Live

All businesses that use ADMT for significant decisions must be in full compliance with these notice, opt-out, and access requirements by January 1, 2027.² While this deadline may seem distant, the operational lift required to build and test these new systems is substantial. It will require deep collaboration between legal, privacy, engineering, and product teams to inventory systems, design compliant workflows, and implement consumer-facing interfaces. The following framework distills the core obligations into a quick-reference guide for counsel.

ADMT Compliance Framework	Core Business Obligation	Key Nuance / Exception
Pre-Use Notice	Provide a prominent notice at or before the point of collection, detailing the ADMT’s purpose, a description of its logic, and the consumer’s rights.	Can be consolidated into the existing Notice at Collection for efficiency.
Right to Opt-Out	Provide at least two easy-to-use methods for consumers to opt out of the use of ADMT for significant decisions.	The opt-out right is not required if the business provides and clearly describes a human-led appeal process with the authority to overturn the decision.
Right to Access	Upon a verifiable request, provide a plain-language explanation of the ADMT’s logic, the outcome of the decision, and how the output was used.	Businesses may withhold information that would reveal trade secrets, but must still provide the core required information.

Sources: ¹⁸

IV. The Foundation of Compliance: The Mandatory Risk Assessment Framework

Underpinning both the cybersecurity audit and ADMT governance regimes is the third pillar of the new regulations: the mandatory risk assessment framework. These assessments are not a standalone, check-the-box exercise. They are the required starting point for all high-risk data processing activities and serve as the engine of the new, proactive compliance model.⁴

A. The Connective Tissue of the New Regime

A business is required to conduct and document a risk assessment before initiating any processing activity that presents a “significant risk to consumers’ privacy.” The regulations provide a specific, non-exhaustive list of activities that automatically trigger this requirement, effectively linking the assessment to the other two pillars of the new framework. These triggers include ⁴:

• Selling or sharing personal information.
• Processing sensitive personal information.
• Using ADMT for a significant decision concerning a consumer.
• Processing personal information to train an ADMT that will be used for a significant decision.
• Profiling consumers in the context of employment, education, or in publicly accessible places.
• Processing the personal information of consumers known to be under 16 years of age.

The inclusion of training ADMT as a trigger is particularly noteworthy, as it extends the compliance obligation upstream into the development lifecycle of artificial intelligence systems.

B. Content and Substance: Beyond a Simple Checklist

The regulations demand a detailed and thoughtful analysis, not a cursory review. The risk assessment must be a documented report that systematically weighs the benefits of the proposed processing against the potential negative impacts on consumers’ privacy. The required components of the assessment include ⁴:

• A detailed description of the specific purpose for the processing.
• The categories of personal information and sensitive personal information to be processed.
• A transparent risk-benefit analysis that evaluates the reasonably foreseeable negative impacts to consumers (such as discrimination, security risks, or financial harm) against the benefits of the processing to the business, the consumer, and the public interest.
• A description of the safeguards the business plans to implement to mitigate the identified risks. These can include technical controls (like encryption), organizational measures (like employee training), and procedural safeguards (like human review of automated decisions).

This framework creates a powerful “paper trail” for future enforcement. In the event of a subsequent security breach or a consumer complaint about algorithmic bias, the CPPA’s first request will almost certainly be for the company’s risk assessment. This document will reveal precisely what the company knew about the potential risks of its processing activity, when it knew it, and what, if anything, it planned to do about it. A poorly conducted assessment, or, more critically, a failure to implement the very safeguards documented in the assessment, could be damning evidence in an enforcement action. The risk assessment transforms from a compliance document into a potential liability roadmap, providing regulators with a clear view of the company’s foresight and diligence—or lack thereof.

C. Submission, Retention, and Timing

The timing and handling of these assessments are strictly regulated. A risk assessment must be conducted before the new processing activity begins. For high-risk processing activities that were already ongoing as of January 1, 2026, businesses have until December 31, 2027, to complete and document the required assessments.⁵ Once completed, assessments must be reviewed and updated at least every three years, or within 45 days of any material change to the processing activity.⁴

Businesses are not required to proactively submit their full risk assessment reports to the CPPA. Instead, by April 1, 2028, they must submit two things to the agency: (1) an attestation, signed by an executive, certifying that the required risk assessments have been completed, and (2) a summary of the assessments conducted during the 2026-2027 period.² However, businesses must retain the full risk assessment reports for at least five years and must be prepared to provide them to the CPPA upon request, typically with 30 days’ notice.⁴

V. An Action Plan for Counsel: Strategic Guidance for Client Preparation

The breadth and complexity of these new regulations demand a proactive, multi-phased approach to compliance. The following action plan provides a strategic roadmap for counsel to guide their clients through this new landscape, transforming a daunting compliance challenge into a manageable, structured process.

A. Phase 1: Immediate Scoping and Discovery (The Next 6 Months)

The initial phase is focused on understanding the client’s specific obligations and mapping the internal landscape of data, systems, and processes.

1. Conduct Applicability Assessments: The first and most urgent task is to determine which of the new rules apply to the client. Using the detailed thresholds and checklists provided in Sections II and III, conduct a formal analysis to determine if the client is subject to the mandatory cybersecurity audit and/or the ADMT governance rules. This analysis should be documented and preserved.
2. Initiate a Cross-Functional ADMT Inventory: For many businesses, this will be the most critical and time-consuming first step. Assemble a dedicated team comprising representatives from Legal, IT, Human Resources, Product Development, and Procurement. This team’s mandate is to catalogue every existing and planned technology that could potentially meet the definition of ADMT.³ For each identified system, the inventory must document its purpose, the data it processes, the decisions it influences, and, most importantly, the nature, extent, and authority of any human review process. This inventory is the foundational prerequisite for all subsequent ADMT compliance efforts.
3. Perform a Cybersecurity Program Gap Analysis: Do not wait for the audit period to begin. Immediately benchmark the client’s current cybersecurity program against the 18+ specific components required by the audit regulations. While established frameworks like the NIST Cybersecurity Framework (CSF) or ISO 27001 are excellent starting points, the analysis must map the client’s existing controls directly to the CPPA’s specific requirements to identify any gaps.³

B. Phase 2: Operational Build-Out (The Next 12-18 Months)

With the initial discovery complete, the focus shifts to building the necessary operational capabilities, processes, and documentation.

1. Develop and Test Consumer-Facing Processes: Begin the work of operationalizing the new consumer rights related to ADMT. Draft modular, plain-language Pre-Use Notices that can be integrated into existing privacy policies. Build or adapt existing Data Subject Access Request (DSAR) and opt-out workflows to handle the specific requirements of ADMT access requests and opt-outs, including any appeal mechanisms.³
2. Engage and Vet Independent Auditors: The market for qualified, independent cybersecurity auditors who are experts in the new California regulations will be tight. Begin the process of identifying, vetting, and engaging an audit partner early. This will not only reserve capacity but also allow for alignment on the audit scope and methodology well in advance of the first official audit period.³
3. Operationalize the Risk Assessment Framework: Integrate the California-specific risk assessment process directly into the client’s product development lifecycle and data governance programs. These assessments should not be treated as a one-off project conducted by the legal department but as an ongoing, collaborative process that informs business and technology decisions from the outset.³
4. Review and Amend Vendor Contracts: The client remains responsible for the data processing activities of its service providers and contractors. All vendor agreements must be reviewed and amended to include clauses that explicitly require vendor cooperation with cybersecurity audits, assistance in responding to ADMT-related consumer rights requests, and adherence to the client’s data protection standards.³

C. Phase 3: Finalization and Readiness (Leading up to Deadlines)

The final phase involves testing, training, and finalizing all compliance-related materials and processes.

1. Conduct Mock Audits and Remediate Findings: Before the first official audit period begins, conduct a full “dry run” of the cybersecurity audit with the selected auditor. This mock audit will provide invaluable insights into the client’s readiness, identify any final gaps, and allow time for remediation before the official, reportable audit commences.
2. Finalize Public-Facing Notices and Internal Playbooks: Finalize the language of all public-facing privacy policies and notices to ensure they meet the new disclosure requirements. Simultaneously, ensure that internal teams have clear, documented playbooks and procedures for handling ADMT opt-outs, access requests, and appeals in a timely and compliant manner.
3. Train Key Personnel and Secure Executive Certification: Conduct targeted training for all relevant personnel. This includes the human reviewers involved in ADMT processes (to ensure they understand the criteria for “meaningful human review”), the legal and privacy teams responsible for handling consumer requests, and, critically, the C-suite executives who will be required to sign the annual certifications to the CPPA.

These regulations are not merely an incremental update; they represent a structural change to the privacy and security landscape in the United States, pushing California’s requirements further ahead of other state laws and establishing a new high-water mark for corporate accountability. Proactive, strategic, and well-documented preparation is not just advisable—it is the only effective means of mitigating the significant legal, financial, and reputational risks of this new regulatory reality.

Works cited

1. CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations – California Privacy Protection Agency (CPPA), accessed October 19, 2025, https://cppa.ca.gov/regulations/ccpa_updates.html
2. California Finalizes Regulations to Strengthen Consumers’ Privacy, accessed October 19, 2025, https://cppa.ca.gov/announcements/2025/20250923.html
3. The CPPA Finalizes Rules on ADMT, Risk Assessments, and Cybersecurity Audits | Thought Leadership | Baker Botts, accessed October 19, 2025, https://www.bakerbotts.com/thought-leadership/publications/2025/august/a-101-of-the-cppas-finalizes-rules-on-admt-risk-assessments-and-cybersecurity-audits
4. Privacy update: CCPA/CPRA regulations finalized – Grant Thornton, accessed October 19, 2025, https://www.grantthornton.com/insights/articles/advisory/2025/privacy-update-ccpa-cpra-regulations-finalized
5. Understanding the CCPA’s New Risk Assessment Requirements – Part 2, accessed October 19, 2025, https://www.workplaceprivacyreport.com/2025/10/articles/california-consumer-privacy-act/understanding-the-ccpas-new-risk-assessment-requirements-part-2/
6. California Finalizes Rules on Automated Decisionmaking, Risk Assessments & Cybersecurity Audits – Manatt, Phelps & Phillips, LLP, accessed October 19, 2025, https://www.manatt.com/insights/newsletters/client-alert/california-finalizes-rules-on-automated-decisionmaking-risk-assessments-cybersecurity-audits
7. US Data Privacy Guide | White & Case LLP, accessed October 19, 2025, https://www.whitecase.com/insight-our-thinking/us-data-privacy-guide
8. California Privacy Protection Agency Advances Substantial Rulemaking – Cyber Audits, Risk Assessments, New Automated Decisionmaking Technologies Rights, and More – Data Matters, accessed October 19, 2025, https://datamatters.sidley.com/2025/07/29/california-privacy-protection-agency-advances-substantial-rulemaking-cyber-audits-risk-assessments-new-automated-decisionmaking-technologies-rights-and-more/
9. CPPA Board Finalizes New Rules on ADMT, Cybersecurity Audits, and Risk Assessments, accessed October 19, 2025, https://www.morganlewis.com/pubs/2025/08/cppa-board-finalizes-new-rules-on-admt-cybersecurity-audits-and-risk-assessments
10. California’s proposed cybersecurity audit regulation – Data Protection Report, accessed October 19, 2025, https://www.dataprotectionreport.com/2025/08/californias-proposed-cybersecurity-audit-regulation/
11. California’s New CCPA Cybersecurity Audit Regulations: A Roadmap to “Reasonable” Security? | Wyrick Robbins Practical Privacy, accessed October 19, 2025, https://practicalprivacy.wyrick.com/blog/californias-new-ccpa-cybersecurity-audit-regulations-a-roadmap-to-reasonable-security
12. The CCPA Now Requires Annual Cybersecurity Audits | Schellman, accessed October 19, 2025, https://www.schellman.com/blog/privacy/ccpa-now-requires-annual-cybersecurity-audits
13. Preparing for the CCPA draft regulations on cybersecurity audits – Hogan Lovells, accessed October 19, 2025, https://www.hoganlovells.com/en/publications/preparing-for-the-ccpa-draft-regulations-on-cybersecurity-audits
14. Fact Sheet: Draft Cybersecurity Audit Regulations – California Privacy Protection Agency, accessed October 19, 2025, https://cppa.ca.gov/meetings/materials/cybersecurity_audit_regulations.pdf
15. California adopts Cybersecurity Audit Rule, outlining ‘reasonable’ cybersecurity | IAPP, accessed October 19, 2025, https://iapp.org/news/a/california-adopts-cybersecurity-audit-rule-outlining-reasonable-cybersecurity
16. California Adopts Regulations on Cybersecurity Audits – Shook, Hardy & Bacon, accessed October 19, 2025, https://www.shb.com/intelligence/newsletters/pds/hansen-july-2025-california-cybersecurity-audits
17. California Privacy Rights Act (CPRA): 2025 Compliance Guide – Kiteworks, accessed October 19, 2025, https://www.kiteworks.com/risk-compliance-glossary/california-privacy-rights-act/
18. CPPA finalizes rules on ADMT, risk assessments, and cybersecurity audits requirements under the CCPA | White & Case LLP, accessed October 19, 2025, https://www.whitecase.com/insight-alert/cppa-finalizes-rules-admt-risk-assessments-and-cybersecurity-audits-requirements
19. California Finalizes CCPA Regulations for Automated Decision-Making Technology, Risk Assessments and Cybersecurity Audits | Insights | Skadden, Arps, Slate, Meagher & Flom LLP, accessed October 19, 2025, https://www.skadden.com/insights/publications/2025/10/california-finalizes-cppa-regulations
20. Modified Text of Proposed Regulations – California Privacy …, accessed October 19, 2025, https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_mod_txt_pro_reg.pdf
21. California Finalizes Groundbreaking Regulations on AI, Risk Assessments, and Cybersecurity: What Businesses Need to Know – Ogletree, accessed October 19, 2025, https://ogletree.com/insights-resources/blog-posts/california-finalizes-groundbreaking-regulations-on-ai-risk-assessments-and-cybersecurity-what-businesses-need-to-know/
22. California Privacy Agency Rolls Out New Regulations and Approves $1.35 Million Penalty in Latest CCPA Enforcement Action, accessed October 19, 2025, https://www.privacyworld.blog/2025/10/california-privacy-agency-rolls-out-new-regulations-and-approves-1-35-million-penalty-in-latest-ccpa-enforcement-action/
23. Fact Sheet: Draft Automated Decisionmaking Technology Regulations – California Privacy Protection Agency (CPPA), accessed October 19, 2025, https://cppa.ca.gov/meetings/materials/adt_regulations.pdf
24. What to Know about the New CCPA Regulations on Automated Decision-Making Technology – Securiti, accessed October 19, 2025, https://securiti.ai/ccpa-automated-decision-making-technology/
25. California Finalizes New CCPA Rules on ADMT, Cybersecurity Audits, and Risk Assessments | Consumer Finance and Fintech Blog, accessed October 19, 2025, https://www.consumerfinanceandfintechblog.com/2025/08/california-finalizes-new-ccpa-rules-on-admt-cybersecurity-audits-and-risk-assessments/

Fact Sheet: Draft Risk Assessment Regulations – California Privacy Protection Agency, accessed October 19, 2025, https://cppa.ca.gov/meetings/materials/risk_assessment_regulations.pdf