Privacy Regulations Reviewed by CLTA Adopted - Know the Compliance Dates

California Privacy Protection Agency (CPPA) regulations were approved by the California Office of Administrative Law in late September and will take effect on January 1.  A draft of the regulations was circulated to the members of the CLTA’s Privacy Working Group.  The regulations cover cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT), insurance companies, and updates to existing CCPA regulations.

Although the regulations go into effect January 1, 2026, there is a set timeframe for compliance with some of the new requirements, namely cybersecurity audits, risk assessments, and requirements for automated decision making technologies.

Cybersecurity Audits

Businesses required to complete cybersecurity audits must submit certifications to the CPPA by:
​

1. April 1, 2028, if the business makes over $100 million;
2. April 1, 2029, if the business makes between $50 million and $100 million; or
3. April 1, 2030, if the business makes less than $50 million. 

Risk Assessments

Businesses subject to risk assessment requirements must begin compliance by January 1, 2026. By April 1, 2028, they must submit to the CPPA:

1. An attestation that required risk assessments were completed, and
2. A summary of their risk assessment information.

Automated Decisionmaking Technology (ADMT)

Businesses that use ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027.

The full text of the regulations can be found at:  https://cppa.ca.gov/regulations/ccpa_updates.html.