Using automated decision-making, doing risk assessments, and completing cybersecurity audits are all key compliance duties that have been introduced by the most recent privacy amendments in California.

To enact essential regulatory improvements to the California Consumer Privacy Act (CCPA), the California Privacy Protection Agency (CPPA) held a vote on July 24, 2025, which was entirely unanimous. about Automated Decision-Making Technology (ADMT), cybersecurity audits, risk assessments, and clarifications about the applicability to insurance businesses, these amendments bring stringent new standards that have to be followed.

After this, what are the following options?

In order for the regulations to be properly enacted, they will first be submitted to the California Office of Administrative Law for the purpose of final review. It is imperative that enterprises comprehend and take action based on the following.

What is the modification?

There are four primary areas that are covered by the updates:

First, the Automated Decision-Making Technology, often known as ADMT

Artificial intelligence (AI), machine learning, and even rule-based systems like spreadsheets and databases are included in the new guidelines. This is especially true when the rules are employed in decision-making processes that have an effect on healthcare, credit and financing, employment, housing, education, or contractors.

Enhanced consumer rights require that organizations have appeal systems that are overseen by humans, give customers with explicit pre-use disclosures, and allow consumers to opt out of receiving certain communications.

Recordkeeping and risk assessments: Both throughout the training and deployment of ADMT, businesses are required to do complete risk assessments, revise vendor agreements in accordance with the findings, and keep detailed records of disclosures, consumer requests, and judgments.

2. Examinations of the cybersecurity

Depending on their yearly gross turnover, businesses are required to conduct mandated cybersecurity audits using the following criteria:

Expiration date of April 1, 2028: ≥ $100 Million

$50 million to $100 million, effective April 1, 2029; less than $50 million, effective April 1, 2030

Audit reports are required to include both established rules and processes, as well as audit criteria and evidence that has been examined.

3. Evaluations of your risks

Regular risk assessments are now required for data processing that involves high levels of risk. An attestation that confirms these assessments for the preceding year will be required to be submitted by enterprises on a yearly basis beginning April 1, 2028!

4. Clarifications requested from insurance companies

The regulations detail the requirements that insurance firms are required to fulfill, which ensures that the CCPA is applied in a clear manner.

Timeline overview of compliance requirements

Compliance with the ADMT shall take effect on January 1, 2027

Depending on the size of the company, cybersecurity assessments will be performed at intervals ranging from April 1, 2028 to 2030.

Attestation of risk through risk assessment: On an annual basis beginning April 1, 2028

What actions should companies take right now

This is something that organizations should immediately do in order to keep ahead of these changes:

It is recommended to carry out an inventory of ADMT use cases: Locate and record all of the automated decision-making systems that are currently in use as well as those that are planned, including any tools provided by third parties.

Create measures for protecting the interests of consumers: In order to comply with the new transparency rules, you will need to map out detailed disclosure workflows and establish explicit opt-out and appeal mechanisms.

Keep your vendor contracts up to date: Ensure that vendors are willing to cooperate in order to assist compliance, transparency, and risk management by amending contract agreements.

Frameworks for risk assessment should be developed: The implementation of comprehensive risk assessment methodologies and the establishment of routine auditing procedures are also recommended.

It is important to improve recordkeeping practices: For the purpose of demonstrating compliance with the revised requirements, it is important to keep very complete records of all contacts with customers, evaluations, and compliance actions.

Uphold your awareness.

The ever-increasing complexity and strenuous operational requirements of CCPA compliance are brought into further focus by these regulatory revisions. When it comes to audit duties beginning in 2027 and beyond, organizations should begin making preparations and actively monitoring changes in the fourth quarter of 2025. This is especially important if they intend to adopt ADMT. By remaining proactive now, you may ensure that compliance transitions will go more smoothly in the future.

Access to AI-driven privacy and risk capabilities is made available to enterprises through the use of The Mavericks. These capabilities include built-in support for automated rights requests, vendor management, and risk assessment procedures that are in line with growing needs.

You can request a demo The Mavericksco.com to witness the platform in action in order to learn more about how The Mavericks can assist you with operationalizing new CCPA criteria, which range from ADMT disclosures to audit preparedness.