CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations

On July 24, 2025, the California Privacy Protection Agency (Agency) Board adopted regulations that (1) updated existing CCPA regulations; (2) implemented requirements for certain businesses to conduct risk assessments and complete annual cybersecurity audits; (3) implemented consumers' rights to access and opt–out of businesses' use of ADMT; and (4) clarified when insurance companies must comply with the CCPA.

Effective Date: January 1, 2026

Status of the Proposal: The rulemaking is complete. On September 22, 2025, the regulations were approved by the Office of Administrative Law and filed with the Secretary of State.

Documents

September 22, 2025 – Final Rulemaking Documents

May 9, 2025 – Public Notice of Modifications to Proposed Regulations

January 13, 2025 – Public Notice of Extension of Comment Period

Notice of Extension of Public Comment Period and Additional Hearing Date

November 22, 2024 – Public Notice of Rulemaking and Related Documents

Public Comments

Comments received during the initial 45-day comment period are linked below.

Written Comments

Oral Comments

Transcript of comments received during February 19, 2025 Public Comment Hearing

Comments received on modified text during the 15-day comment period are linked below.

Written Comments

Preliminary Rulemaking Activities

The Agency solicited preliminary written comments from the public via an Invitation for Preliminary Comments on Proposed Rulemaking on the following topics: CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Companies from February 10, 2023 through March 27, 2023. That period has closed, and the public comments are available via the links below.

Comments received during preliminary public comment period

Name	Organization	Comment #	Comment (ID, pages)
Megan Gray	GrayMatters Law and Policy	P1	PDF1 - 1-26
Nicole Day		P2	PDF1 - 27
Sidney Hoff	American Express	P3	PDF1 - 28-36
David Swetnam-Burland et al.	Brann & Isaacson	P4	PDF1 - 37-41
Ed Howard	University of San Diego School of Law Children's Advocacy Institute	P5	PDF1 - 42-265
Robert Healey	Formiti Data International UK	P6	PDF1 - 266
Ridhi Shetty	Center for Democracy & Technology	P7	PDF1 - 267-297
Stu Ingis et al.	Association of National Advertisers	P8	PDF1 - 298-303
Joanne Furtsch	TrustArc	P9	PDF1 - 304-311
Kate Goodloe	BSA \| The Software Alliance	P10	PDF1 - 312-334
Howard Fienberg et al.	Insights Association	P11	PDF1 - 335-338
Hicham Abdessamad	Hitachi Group	P12	PDF1 - 339-343
Stephen C. Dwyer	American Staffing Association	P13	PDF1 - 344-348
Alvaro Marañon	Computer & Communications Industry Association	P14	PDF1 - 349-370
Tabitha Edgens	Bank Policy Institute	P15	PDF1 - 371-384
Dylan Hoffman	TechNet	P16	PDF1 - 385-400
Odia Kagan	Fox Rothschild	P17	PDF1 - 401-408
Allison Adey et al.	Personal Insurance Federation of California et al.	P18	PDF1 - 409-415
Don Erickson	Security Industry Association	P19	PDF1 - 416-425
David Wendell Phillips		P20	PDF1 - 426-433
Dave O'Toole		P21	PDF1 - 434-437
Gerard Keegan et al.	CTIA - The Wireless Association	P22	PDF1 - 438-474
Melissa MacGregor	Securities Industry and Financial Markets Association	P23	PDF1 - 475-481
Tracy Chou	Block Party	P24	PDF1 - 482-486
Jenn Taylor Hodges et al.	Mozilla	P25	PDF1 - 487-493
Jeff Reed et al.	Proofpoint et al.	P26	PDF1 - 494-501
Douglas K. Johnson et al.	Consumer Technology Association	P27	PDF2 - 1-17
Craig Erickson		P28	PDF2 - 18-124
Paul Lekas	Software & Information Industry Association	P29	PDF2 - 125-132
Hilary M. Cain	Alliance for Automotive Innovation	P30	PDF2 - 133-136
Keir Lamont	Future of Privacy Forum	P31	PDF2 - 137-147
Laila Abdelaziz	Centre for Information Policy Leadership	P32	PDF2 - 148-172
Matt Schwartz et al.	Consumer Reports	P33	PDF2 - 173-193
Asian Industry Business to Business et al.		P34	PDF2 - 194-198
Lucy Chinkezian	Civil Justice Association of California	P35	PDF2 - 199-216
Maya McKenzie	Entertainment Software Association	P36	PDF2 - 217-230
Eric J. Ellman	Consumer Data Industry Association	P37	PDF2 - 231-237
Matthew Kownacki	American Financial Services Association	P38	PDF2 - 238-242
Electronic Privacy Information Center et al.		P39	PDF2 - 243-300
Drew Bagley et al.	CrowdStrike	P40	PDF2 - 301-309
Julian Cañete et al.	California Hispanic Chambers of Commerce et al.	P41	PDF2 - 310-314
Leigh Freund	Network Advertising Initiative	P42	PDF2 - 315-324
Sun Park	SAFE Credit Union	P43	PDF2 - 325-327
Danielle Coffey	News/Media Alliance	P44	PDF2 - 328-332
Denneile Ritter	American Property Casualty Insurance Association	P45	PDF2 - 333-338
Jarrell Cook	Workday	P46	PDF2 - 339-347
Justin Kloczko	Consumer Watchdog	P47	PDF2 - 348-352
Jennifer King	Stanford Institute for Human-Centered Artificial Intelligence	P48	PDF2 - 353-418
Rachel Michelin	California Retailers Association	P49	PDF2 - 419-431
Lindsey Tonsager et al.	California Chamber of Commerce	P50	PDF2 - 432-444
Jennifer King et al.	Stanford University Program in Public Policy	P51	PDF2 - 445-459
Jordan Crenshaw	U.S. Chamber of Commerce's Technology Engagement Center	P52	PDF2 - 460-473
Meghan G. Anderson	National Institute of Standards and Technology	P53	PDF2 - 474-505

Comments received after close of preliminary public comment period

Name	Organization	Comment #	Comment (ID, pages)
Anthony Stark	ZoomInfo	PL1	PDF3 - 1-3
Jill Szewczyk	Colorado Department of Law	PL2	PDF3 - 4-10
Martin Abrams et al.	Information Accountability Foundation	PL3	PDF3 - 11-18
R. Jason Cronk	Enterprivacy Consulting Group	PL4	PDF3 - 19-29
Leticia Garcia	California Grocers Association	PL5	PDF3 - 30-37
Joanne Furtsch	TrustArc	PL6	PDF3 - 38-48