Companies subject to California's comprehensive privacy law (the CPPA + CPRA) will have new compliance requirements under regulations that were finalized in late July. The state privacy regulator had been working on the regs for more than a year, and the finalized regs are a watered-down version of concepts initially floated. Having said that, the rules could still have a broad impact on covered businesses that process personal data of California residents. The new rules also impose cybersecurity audit requirements and limit the use of automated decision-making technologies (ADMT) in certain instances. If finalized, the risk assessment and ADMT requirements will take effect in 2027, with cybersecurity audit rules also taking effect between 2028 and 2030, depending on the size of the business.
WHY IT MATTERS
Under the new California regulations, companies covered by the California laws must conduct and document a risk assessment before taking actions that place personal information at “significant risk,” including doing any of the following: processing any “sensitive personal information” about consumers in California, “selling or sharing” personal information, using ADMT to make “significant decisions” about a consumer, using personal information to train ADMTs, and using automated technologies to profile consumers under certain circumstances, including to assess employee job performance. The risk assessment must be updated at least every three years and meet certain formal documentation requirements.
These requirements are likely to cover a broad range of companies, including many small and medium businesses. If your company has customers, suppliers, or employees in California, late 2025 is a good time to check on the new requirements and understand how they affect your website, internal operations, HR, and B2B relationships. Failure to comply can result in investigations and fines, among other actions.
/Passle/5fe0c4f453548a10fc881e09/MediaLibrary/Images/2025-08-10-13-49-45-930-6898a3797207dff705d8480e.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2025-08-05-13-05-54-697-689201b2ae48ea3a1765b4c7.jpg)
/Passle/5fe0c4f453548a10fc881e09/MediaLibrary/Images/2025-08-11-13-25-15-051-6899ef3b3b4e35b0ca20b943.png)