California approves new privacy rules for automated decision-making software

California’s Privacy Protection Agency on Tuesday announced it had received final approval from the California Office of Administrative Law on regulations regarding cybersecurity audits, risk assessments and automated decision-making tools, ending a yearslong process of feedback and markups.

The new regulations, which have drawn mixed reactions, were approved by the CPPA board in July and submitted to the law office for formal acceptance, which they needed before they could take effect next year. The regulations will go into effect Jan. 1, but there is additional time for businesses to comply with some of the new requirements, which include cybersecurity audits and risk assessments.

The regulations arrive after more than a year of drafting, revisions, public comments and debates to explore guardrails for the technology, which kicked off in 2021 as part of the CPPA’s work to understand emerging artificial intelligence technologies and how they interact with 2018’s California Consumer Protection Act, the standard-setting consumer data privacy law that set off a tidal wave of state-level, comprehensive data-privacy legislation.

Many, including Gov. Gavin Newsom and industry interest groups, offered their opinions throughout the process, urging the CPPA board not to overly regulate the burgeoning AI market, which resulted in any references to “artificial intelligence” being scrubbed from the regulations.

As a result, the CPPA’s new rules broadly define automated decision-making tools as those that replace human decision-making for “significant decisions” in areas like lending, housing, employment, education, independent contracting opportunities and health care. Businesses covered by CCPA must also provide consumers with clear notices about how automated tools are used, including the logic involved, the potential risks and information about individuals’ rights.

The notices must also be presented to consumers at or before the point of data collection, and, most notably, businesses are required to offer consumers two “opt out” methods. These regulations go into effect Jan. 1, 2027.

The new regulations also require businesses to conduct and document regular risk assessments when engaging in any activity that could present a risk to consumers’ privacy or security, especially when they use automated decision-making tools, or sell, share or process consumers’ personal information. The risk assessments also must “identify and document” which types of personal information the tools will process, and they must be reviewed and updated at least once every three years. Businesses must submit risk assessment attestations to the CCPA by April 1, 2028, but compliance begins next Jan. 1.

Similarly, businesses that process personal information will also now be required to conduct annual cybersecurity audits. In most cases, the audits must be conducted by “qualified, objective, independent” professional auditors. Audits that are conducted for other purposes — such as ensuring compliance with the National Institute of Standards and Technology’s Cybersecurity Framework — can be used to fulfill the CCPA’s audit requirement.

The regulations offer leeway for businesses that make less than $100 million but more than $50 million — they’ll be given until 2029 to comply. Those that make less than $50 million have until 2030. Businesses grossing more than $100 million in 2026 must complete audits for 2027 by April 1, 2028, but all businesses meeting the general audit applicability requirements will have to complete audits for 2029 by April 1, 2030.

The new rules have been met with mixed reactions. Cobun Zweifel-Keegan, managing director of IAPP, a data-privacy nonprofit, said they offer much-needed clarity.

The CCPA also has broader implications, as California’s privacy rule-making tends to influence other states’ consumer privacy laws.

“With substantial updates across a wide range of California’s privacy law, the final regulations have important implications for many companies,” Zweifel-Keegan wrote in an emailed statement. “The rules add clarity to some important questions, like how the application of California’s privacy law to employees should be considered. There will be operational impacts beyond the major updates, but those big pieces like cybersecurity audits and automated decision making systems should be a top priority for privacy teams to review and verify compliance before the rules go into effect on January 1.”

Kristian Stout, director of innovation policy at the International Center for Law and Economics, a nonprofit research group, said the new rules are overly broad and that their definitions could stifle innovation, particularly for small and medium-sized businesses.

“While the CPPA was reasonable in its interest in looking at these rules in light of new technologies, the core framework remains rigid and risks placing California at a competitive disadvantage in AI leadership,” Stout wrote in an emailed statement. “The compliance burdens, particularly the phased cybersecurity audits and risk assessments, are a substantial cost for businesses of all sizes, and the impact on small businesses and the digital advertising ecosystem remains a valid concern. The CPPA’s rules further divide a fractured regulatory landscape, forcing businesses to navigate complex and potentially contradictory obligations.”