Navigating New Obligations Under the CCPA’s Updated Regulations

Long-awaited revisions to the California Consumer Privacy Act (CCPA) Regulations were recently approved by the California Office of Administrative Law (OAL) on September 22, 2025. These revisions come after a year-long process of debate and public comment and will take effect on January 1, 2026 (with some provisions delayed until 2027).

While the California Privacy Protection Agency (CPPA or the Agency) focused the majority of the revised regulations on introducing new obligations related to automated decisionmaking technology (ADMT), cybersecurity audits, and risk assessments, it also amended existing regulations to expand and clarify other requirements.

This article summarizes the key requirements under the revised regulations. As described further below, the revisions will require businesses to promptly assess whether their current compliance programs need updates prior to the end of the year.

Key Amendments Impacting Existing Compliance Programs

Sensitive Personal Information

First, the revised regulations expand on the CCPA’s statutory definition of “sensitive personal information”: Personal information of consumers under 16 is now considered sensitive personal information. As such, businesses may need to update their current data processing practices to ensure that processing of personal information of consumers under 16 complies with the requirements governing sensitive personal information.

The revised regulations broaden the definition of sensitive personal information to include all personal information of consumers less than 16 years of age, provided the business has actual knowledge of their age.Cal. Code Regs. tit. 11, § 7001(bbb). If a business willfully disregards a consumer’s age, it is deemed to have actual knowledge.

Therefore, if a business requests a consumer’s age during sign-up or otherwise knows a consumer is under 16 years old, the business now needs to evaluate its handling of that information to determine what changes, if any, need to be made to its compliance program. For example, businesses that do not currently process other types of sensitive personal information will now need to determine whether they are using or disclosing information about individuals under 16 for purposes other than those specified in § 7027(m) of the regulations. If that is the case, they may be required to implement a Notice of Right to Limit and related opt-out mechanisms in accordance with § 7014.

Separately, businesses that already process some sensitive personal information may need to update their Notice of Right to Limit and related opt-out mechanisms if they are using or disclosing this information for purposes other than those specified in § 7027(m), to ensure they are accurately capturing information about consumers under the age of 16. Alternatively, a business may need to implement controls to ensure that information about users under the age of 16 and any other sensitive personal information is only being used for permitted purposes, if it takes the position that it does not use or disclose sensitive personal information for purposes that trigger the Right to Limit.

New Transparency Requirements

Businesses offering mobile applications, connected devices, or augmented reality / virtual reality (AR/VR) technologies need to evaluate their current interfaces to assess compliance with the CCPA’s new transparency requirements, as detailed below.

Mobile Applications

The revised regulations now require businesses to make their privacy policies accessible not only via a link on their mobile applications’ download or landing page, but also within the applications themselves.Id. § 7003(d). Namely, a link to the privacy policy must now be included in the app’s settings menu.Id. § 7011(d). Businesses will likely need to review, and in some cases update, their mobile app interfaces to ensure compliance with these amendments.

Connected Devices and AR/VR

Businesses that collect personal information via connected devices, such as smart TVs and wearables (e.g., smart watches), may also need to implement new transparency obligations. The existing regulations require businesses that engage in the “selling” or “sharing” of personal information, and businesses that use or disclose sensitive personal information for purposes that trigger the Right to Limit obligations to provide the applicable notice (a “Notice of Right to Opt-out of Sale/Sharing” or a Notice of the Right to Limit, respectively), in the same manner in which the personal information used for such purposes was collected.Id. §§ 7013(e)(3), 7014(e).

However, businesses that collect personal information for such purposes must now provide the applicable notice in a manner that ensures the consumer will encounter it before or at the time data collection begins.Id. §§ 7013(e)(3)(C), 7014(e)(3)(C). Accordingly, businesses will likely need to evaluate their products’ sign-up flows to ensure that consumers receive the required notices in an appropriate and timely manner.

Likewise, businesses that sell or share personal information collected within AR/VR environments must provide the required notices before or at the time the consumer enters the AR/VR environment. Moreover, if the business is required to provide a Notice of the Right to Limit, such notice must also be provided before or at the time the business collects the personal information within the AR/VR environment.Id. § 7014(e)(3)(D).

Responding to Requests to Opt-Out of Sale/Sharing and Right to Limit

Under existing regulations, businesses that receive a request to opt-out of selling/sharing or that detect an opt-out preference signal must action the request by ceasing the selling/sharing and notifying the third parties with which the business sold/shared the personal information of the same.Id. §§ 7025(c), 7026(f).

The revised regulations expand on these requirements by mandating that a business further display to a consumer whether the consumer’s request has been processed.Id. § 7025(c)(6). For example, a business may comply by displaying text such as “Opt-Out Request Honored” on its website and providing a toggle or radio button in the consumer’s privacy setting to indicate the opt-out request has been processed.Id. § 7026(g). Similarly, when a consumer submits a request to limit a business’s use and disclosure of sensitive personal information, the business must also display a means by which the consumer can confirm that their request has been processed (such as through a toggle or radio button as well).Id. § 7027(h).

Rights Requests

Right to Correct

The revised regulations change how businesses must handle consumer requests to correct personal information. Where a business is not the source of the information that the consumer is requesting to correct, businesses formerly had discretion as to whether they would provide the name of the source from which the business received the contested information. The revised regulations eliminate that discretion: Businesses must now either provide the consumer with the source of the information or inform the source that the information is incorrect and must be corrected.Id. § 7023(i).

In addition, if a business denies a consumer’s request to correct personal information concerning a consumer’s health, under the existing regulations that business must inform the consumer that they may provide the business with a statement to be made part of the consumer’s record. The revised regulations additionally mandate that the business make the statement available to any person with whom the business discloses, shares, or sells the personal information that is subject to the request to correct.Id. § 7023(f)(3).

Accordingly, businesses should review their compliance practices to ensure that correction requests are handled in compliance with the revised regulations, including training for any customer service teams that handle such requests.

Consumer Confirmation of Sensitive Information

The updated regulations introduce new requirements for businesses to offer consumers confirmation methods for certain types of sensitive personal information.

Though businesses are not required to disclose categories of sensitive personal information in response to an access request or request to correct, the revised regulations now require businesses to provide consumers with a way to confirm that certain types of sensitive personal information a business maintains about them matches the information provided by the requesting consumer.Id. §§ 7023(j), 7024(d)(2). For example, if a business receives a request to correct, the business can have the consumer call its toll-free number and, after verifying the consumer’s identity, the business can confirm whether the sensitive personal information provided by the consumer matches what the business has on file.Id. §§ 7023(j), 7024(d)(2).

Businesses should be aware that this new requirement poses significant security risks, and thus maintaining adequate security controls is key. For instance, bad actors in possession of sensitive personal information, such as a Social Security number or bank account number obtained through a data leak or other means, could attempt to confirm the information using a business’s confirmation procedure. Implementing strict confirmation processes to authenticate consumers’ identities before confirming their information may assist in preventing this type of exploitation. Further, employees responsible for handling rights requests will require additional training to implement new confirmation procedures.

Authorized Agent Requests

The revised regulations also update the process for handling requests made by authorized agents. While the regulations continue to permit businesses to require consumers to either verify their own identity or directly confirm that an authorized agent is acting on their behalf, businesses are now prohibited from requiring consumers to resubmit the rights request in their individual capacity when using an authorized agent.Id. § 7063.

Accordingly, if a business currently requires consumers to log in to their account to verify their identity, then further requires them to submit the request directly through the website rather than through the authorized agent, this process will violate the revised regulations.

New Regulations Relating to ADMT, Cyber Audits, and Risk Assessments

In addition to the above amendments to the existing CCPA regulations, the Agency also adopted new regulations on ADMT, cybersecurity audits, and risk assessments.

ADMT Rules

The revised regulations impose new obligations for businesses using ADMT to make “significant decisions” about consumers. A “significant decision” involves the provision or denial of services such as financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services, but does not include advertising. These new requirements will take effect in 2027.

Earlier drafts of the proposed regulations included broad restrictions on artificial intelligence use, but the Agency significantly narrowed the scope of the ADMT regulations from the final rulemaking.

Businesses using ADMT for significant decisions must now:Id. §§ 7102, 7150(c), 7220-22.

• provide consumers with a pre-use notice about the business’s use of ADMT and the consumer’s right to opt-out and access information about such use;
• allow consumers to opt-out of ADMT, with certain exceptions;
• allow consumers to access specific information upon request, including the purpose of ADMT use, how it processed their personal information, and the outcome of the decisionmaking process;
• conduct risk assessments when using ADMT for significant decisions or processing personal information to train ADMT for such decisions; and
• if a business handles the personal information of at least 10 million consumers, disclose in its privacy policy or website the number of requests to access and opt-out of ADMT that were received, complied with, and denied.
  
  

Cybersecurity Audits

Also beginning in 2027, certain businesses will be required to conduct mandatory cybersecurity audits. Such audits must be performed if processing of consumers’ personal information may pose a “significant risk” to consumers’ security, though some businesses subject to the CCPA are scoped out of the audit requirement. Namely, a business must perform a cybersecurity audit if it: (a) derives 50% of its annual revenue from selling or sharing personal information; or (b) in the preceding calendar year had annual gross revenues exceeding $26,625,000 and processed (i) personal information of more than 250,000 consumers or households or (ii) sensitive personal information of more than 50,000 consumers.Id. § 7120.

Under the new regulations, an independent auditor knowledgeable about cybersecurity and cybersecurity audits must complete the audits in accordance with standardized procedures.Id. § 7122(a). The auditor can be internal or external, but if the business uses an internal auditor, that individual must report to a member of the business’s executive management team who does not have cybersecurity responsibility.Id. § 7122(a)(3).

The regulations establish a number of categories of information that the auditor must review and address in their report, if applicable, including:Id. §§ 7123(c), 7123(e).

• authentication/encryption of personal information;
• account management and access controls;
• inventory and management of personal information;
• internal and external vulnerability scans;
• audit-log management / network monitoring and defenses;
• antivirus and anti-malware protections;
• segmentation of an information system;
• limitation and control of ports, services, and protocols;
• cybersecurity education and training;
• secure development and coding best practices;
• oversight of service providers, contractors, and third parties;
• retention schedules and disposal practices; and
• incident response management and disaster recovery plans.

Businesses must also submit an annual certification of completion to the Agency for each calendar year in which they are required to conduct an audit. The Agency has adopted the following phased implementation timeline for these cybersecurity audits based on business size:Id. § 7121(a).

• April 1, 2028, if 2026 gross revenue exceeded $100 million;
• April 1, 2029, if 2026 gross revenue was between $50 million and $100 million; and
• April 1, 2030, if 2026 gross revenue was under $50 million.

Risk Assessments

Finally, and also starting in 2026, businesses must conduct risk assessments for new processing activities that present a “significant risk” to consumer privacy. Notably, unlike in prior drafts, the final version of the regulations does not require businesses to submit all risk assessments to the Agency. Instead, a senior executive must submit an annual certified report to the Agency, outlining the number and types of risk assessments conducted and the categories of personal information involved. The Agency and the California Attorney General (AG) will still have the authority to request any risk assessment report, which must be submitted to the Agency or AG within 30 calendar days of the request.Id. § 7157(e).

Activities that pose a “significant risk” include:Id. § 7150(b).

• selling or sharing personal information;
• processing sensitive personal information;
• using ADMT to make significant decisions concerning a consumer;
• using automated processing to infer a consumer’s characteristics based on their role as an applicant, student, employee, or independent contractor, or their presence in a sensitive location;
• processing personal information to train ADMT for significant decisions; and
• processing personal information to train biometric technology for identity verification or consumer profiling.

Covered businesses must conduct risk assessments before initiating any processing activity, and must review and update the assessment every three years or whenever they make a material change to the processing activity. The risk assessment evaluates whether the risks to consumers’ privacy outweigh the benefits to the consumers, business, stakeholders, and the public. Risk assessments must identify, among other things, the “benefits” to the business, consumers, stakeholders, and the public; the “negative impacts” on consumer privacy; and the safeguards planned for the processing.Id. § 7152(a)(3). Businesses may demonstrate their compliance with a risk assessment prepared for another purpose (e.g., compliance with GDPR or another US state privacy law), but must ensure that the other risk assessment satisfies the CCPA’s risk assessment requirements.

Further, businesses that make ADMT available to other businesses for significant decisions must supply the recipient businesses all necessary information to enable them to conduct their own risk assessments.Id. § 7153(a).

For covered activities initiated before January 1, 2026, businesses must conduct risk assessments by December 31, 2027, and submit attestations to the Agency by April 1, 2028. For activities initiated in 2026 and 2027, businesses must conduct risk assessments before starting those activities and submit attestations by April 1, 2028. For activities initiated after 2027, businesses must submit attestations by April 1 of the following year.Id. § 7157a).

Conclusion

The updated CCPA Regulations signal a new chapter in California’s privacy regime. In addition to introducing novel obligations with respect to ADMT, cybersecurity audits, and risk assessments, they also tighten several prior existing requirements with respect to sensitive personal information, transparency, and consumer rights’ requests. As such, businesses will need to evaluate, assess and, if necessary, modify their current and planned data collection, disclosure, cybersecurity, and audit practices to ensure compliance.

Calendar of Effective Dates