California Finalizes Sweeping Privacy Regulations, Raising the Bar for Businesses

Key Takeaways

• Effective Date: New regulations go into effect January 1, 2026, with staggered compliance deadlines for specific requirements.
• Cybersecurity Audits: Tiered deadlines based on company revenue, beginning in 2028 for firms making over $100 million and extending to 2030 for smaller companies.
• Risk Assessments: Businesses must comply starting January 1, 2026, and submit attestations and summaries of risk assessments by April 1, 2028.
• Automated Decision Making Technology (ADMT): Companies using ADMT for significant decisions must comply with oversight requirements beginning January 1, 2027.
• Regulatory Impact: Businesses face expanded compliance expectations that integrate cybersecurity, AI governance, and risk management into their privacy frameworks.

Deep Dive

California has finalized a new set of privacy regulations that expand requirements for cybersecurity audits, risk assessments, and the use of automated decision-making technology (ADMT). The California Privacy Protection Agency (CPPA) confirmed on September 23 that the Office of Administrative Law has approved the rules, concluding years of debate and public input.

The regulations, which take effect on January 1, 2026, mark a significant evolution of the California Consumer Privacy Act (CCPA) framework. They also extend compliance expectations for sectors like insurance and update existing obligations for companies that process large amounts of consumer data.

A Multi-Year Effort to Strengthen Consumer Privacy

The CPPA emphasized that the rule-making process was shaped by extensive engagement with businesses, civil society groups, and the public. Multiple hearings and hundreds of comments were reviewed before the Board adopted the final package.

“These rules ensure that Californians continue to have the strongest privacy protections in the country while being responsive to the realities of business implementation,” said Jennifer Urban, Chair of the CPPA Board.

Phil Laird, the agency’s General Counsel, underscored the balancing act regulators faced. “Our goal has always been to give consumers meaningful rights and also provide practical compliance pathways for businesses,” he said.

Staggered Timelines for Cybersecurity Audits

The new regulations introduce a tiered schedule for mandatory cybersecurity audits. Businesses must begin submitting certifications to the CPPA based on annual revenue:

• Companies making over $100 million must comply by April 1, 2028.
• Those earning between $50 million and $100 million face an April 1, 2029 deadline.
• Firms under $50 million have until April 1, 2030.

This phased approach gives smaller organizations more time to build the necessary audit infrastructure, though the requirements are expected to be resource-intensive across the board.

Risk Assessments and ADMT Oversight

Risk assessments will become a near-term obligation, with compliance required as of January 1, 2026. By April 1, 2028, businesses must submit both an attestation of compliance and a summary of their risk assessment activities to the CPPA.

Meanwhile, rules governing automated decision-making technology (ADMT)—covering tools that make significant decisions about individuals, such as hiring, lending, or insurance determinations—will come into force on January 1, 2027. Regulators aim to give businesses additional time to adapt, but the move underscores growing scrutiny over AI-driven decision making.

The regulations create a dual challenge: meeting technical obligations while ensuring organizational governance frameworks are updated to track, document, and report compliance. Companies will need to rethink how they manage cyber resilience, data governance, and AI risk, areas increasingly converging in regulatory expectations worldwide.

The CPPA’s regulations reinforce California’s position as a privacy trailblazer in the U.S., and they are likely to influence discussions at the federal level and in other states. Businesses, meanwhile, now face a countdown to compliance that extends across multiple deadlines, each with potentially costly consequences for failure.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.