Member Alert: California Finalizes Regulations on Cybersecurity Audits, Risk Assessments, and Automated Decision-making Technology

On September 23, 2025, the California Privacy Protection Agency (“CPPA”) announced that the proposed rules relating to cybersecurity audits, risk assessments, automated decisionmaking technology (“ADMT”), and updates to existing rules, had been finalized following review by the Office of Administrative Law.

The rules become effective January 1, 2026, though deadlines for cybersecurity audits, risk assessments, and ADMT are later, as described below.

Cybersecurity Audits

• Businesses must complete a cybersecurity audit if processing presents a “significant risk” to consumers’ security.
• Processing presents a significant risk if the business:
  • Derived 50% or more of its annual revenues from selling or sharing consumers’ personal information; or
  • Had annual gross revenues in excess of $25M; and
    • Processed PI of 250,000 or more consumers; or
    • Processed the sensitive PI of 50,000 or more consumers.
  • The audit deadlines are staggered based upon a business’s annual gross revenue:
    • April 1, 2028, if over $100M;
    • April 1, 2029, if between $50M and $100M;
    • April 1, 2030, if less than $50M.

Risk Assessments

• All businesses must submit an initial risk assessment to the CPPA no later than April 1, 2028, if the processing presents a significant risk to consumers’ privacy. Such processing includes:
  • Selling or sharing PI;
  • Processing sensitive PI;
  • Using ADMT to make significant decisions concerning consumers, such as the provision of financial or lending services, etc.;
  • Using automated processing to infer certain consumer characteristics;
  • Processing PI that is intended to be used to train ADMT.

ADMT

• By January 1, 2027, businesses that use ADMT must notify consumers of:
  • The purpose of using ADMT;
  • The right to opt out of ADMT;
  • The right to access ADMT;
  • How ADMT is used to make significant decisions, and how the decisions would be made if the consumer opts out.

This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.