On September 23, 2025, the California Privacy Protection Agency finalized major regulations under the California Consumer Privacy Act (CCPA), introducing new requirements for cybersecurity audits, risk assessments, automated decision-making technology (ADMT), insurance, and expanded consumer rights. These changes represent the most significant expansion of California’s privacy requirements since the CCPA’s initial enactment, with new obligations taking effect January 1, 2026.

The expanded regulations significantly increase litigation risk for businesses well beyond California's borders, and they create urgency for businesses to update their best practices across cybersecurity, data privacy, and vendor management. 

Key Updates

• Cybersecurity Audits: Businesses meeting certain revenue thresholds must submit annual cybersecurity audit certifications to the California Privacy Protection Agency, with phased deadlines from 2028 to 2030. Audits must be comprehensive, include executive-level reporting, and sworn certifications. 
   
• Risk Assessments: Starting January 1, 2026, businesses subject to risk assessment requirements must attest to completed assessments and submit summaries to the California Privacy Protection Agency by April 1, 2028. Risk assessments must be performed if processing personal information presents a significant risk to consumer privacy. Assessments are required before new high-risk processing activities. 
   
• Automated Decision-Making Technology (ADMT): Starting January 1, 2027, businesses using ADMT to substantially replace human decision-making in certain areas (e.g., employment, financial or lending, health care treatment, education, and housing) must comply with the new rules. These rules include providing notice of use of ADMT and opt-out rights. 
   
• Expanded Consumer Rights: Businesses must confirm opt-out requests (including Global Privacy Control signals) using clear website indicators. Privacy policies must disclose more detail on personal information shared with service providers and contractors. “Dark patterns” in consent mechanisms are now prohibited. (For more information on the multi-state regulatory focus on GPC and opt-out signals, see our prior alert.)
   
• Sensitive Personal Information: The definition now includes neural data generated by measuring nervous system activity. This data can sometimes be tracked through wearable devices, virtual reality systems, and other products and, in simplistic terms, tracks brainwaves. Such data has the potential to indicate details about a person’s mental state, health, and cognitive functions.

Who Must Comply?

The regulations apply to any business that meets one or more of the following criteria:

• Annual gross revenue over $26,625,000 (globally). 
   
• Buy, receive, sell, or share personal information of 100,000+ California residents or households per year (including website visitors, customers, employees, and business contacts). 
   
• Derive 50%+ annual revenue from selling or sharing personal information. 
   
• Operate as an insurance company in California. 
   
• Use ADMT for significant decisions about California residents.

Location is irrelevant: If a business meets any one of these thresholds and processes California residents’ personal information, it must comply. Note that ADMT requirements apply only to businesses using automated decision-making, but other obligations — such as risk assessments, audits, and expanded consumer rights — apply to all businesses meeting the thresholds.

Litigation Risk & Best Practices

The expanded regulations significantly increase litigation risk for businesses, especially in these areas:

1.    Data Breach & Unauthorized Disclosure via Tracking Technologies

• Shah v. Capital One Financial Corp.: In 2024, a major retailer faced a class action lawsuit after a ransomware attack exposed customer data. Plaintiffs cited failure to implement “reasonable security procedures” as required by the then-current regulations of the CCPA.
   
• New Risk: The requirement for annual cybersecurity audits means plaintiffs and regulators will scrutinize whether businesses followed mandated protocols. Lack of documentation or incomplete audits can undermine defenses.

2.    Vendor Management & Privacy Controls

• Tractor Supply Company Enforcement Action: The CCPA imposed a $1.35 million fine and required comprehensive reforms after finding failures in vendor contracts and opt-out mechanisms.
   
• New Risk: The new regulations require enhanced privacy policies and vendor contracts. Gaps in these areas trigger both regulatory fines and private lawsuits.

3.    Documentation & Governance

• CPPA v. Superior Court of Sacramento County: The California Court of Appeal confirmed the California Privacy Protection Agency's authority to enforce CCPA regulations without delay, including requirements for documentation and compliance records.
   
• New Risk: The new rules require ongoing documentation of compliance activities. Lack of records can be used against businesses in litigation and enforcement proceedings.

Best Practices for Reducing Litigation Exposure

To minimize litigation risk under the new regulations, businesses should:

1. Conduct regular cybersecurity audits. 
2. Implement robust risk assessment protocols. 
3. Review and update consent mechanisms. 
4. Strengthen vendor contracts. 
5. Enhance privacy policy disclosures.
6. Prepare for ADMT compliance. 
7. Maintain comprehensive documentation.
8. Monitor regulatory developments. 

Conclusion

The new CCPA regulations significantly expand consumer rights and compliance obligations. Businesses should act now to review privacy programs, update policies, and prepare for phased implementation of the new rules.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.