On May 1, 2025, the California Privacy Protection Agency (CPPA) announced substantial revisions to its draft California Consumer Privacy Act (CCPA) regulations, particularly concerning automated decision-making, cybersecurity audits, and risk assessments. With a public comment period now open until June 2, 2025, companies affected by the CCPA need to weigh in and prepare for these anticipated changes as they are set to be finalised by November 2025.
Key Points
- CPPA is revising CCPA regulations on automated decision-making and cybersecurity audits.
- A new phased timeline for cybersecurity audits is introduced, varying by revenue size.
- Businesses must ensure consumers can withdraw consent for data processing at any time.
- New rules for privacy disclosures aim to enhance consumer transparency across digital platforms.
- Significant changes to automated decision-making definitions limit regulatory scope.
Why should I read this?
If you’re running a business in California, this article is a must-read. The proposed changes to the CCPA could significantly impact how you handle consumer data and compliance procedures. We’ve done the heavy lifting to summarise the key points for you, so you can be prepared and ready to adapt, rather than scrambling at the last minute. Don’t miss your chance to have your say while the comment period is still open!