On July 24, 2025, the California Privacy Protection Agency (CPPA) voted unanimously to finalize rules under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act. These new rules introduce significant obligations for businesses subject to the CCPA. They impose requirements on the use of automated decision-making technologies (ADMT) and mandate cybersecurity audits and risk assessments. The California Office of Administrative Law must review and approve these rules by around September 5, 2025. Once approved, they will become effective on a phased basis between 2027 and 2030.
