California continues to expand its privacy regulations, outpacing the federal government and impacting companies doing business in the state. The California Office of Administrative Law recently approved regulations covering cybersecurity audits, risk assessments, and the use of automated decisionmaking technologies (ADMT), which builds on the framework of the California Consumer Privacy Act (CCPA), adding sweeping new requirements for businesses that use ADMT to make significant decisions.

Effective January 1, 2026, with most compliance deadlines hitting in 2027, these rules represent one of the most significant developments in U.S. privacy law since the CCPA itself.

For businesses, now is the time to prepare. The new mandates touch everything from hiring and lending to healthcare and insurance. Understanding where your company’s systems fit into this landscape is now a legal necessity, not a technical one.

What the new rules cover

The final regulations create three new areas of compliance: (1) obligations for businesses that are using ADMT to make “significant decisions” concerning consumers; (2) risk assessments where businesses are processing consumer personal information presenting a significant risk to consumers’ privacy; and (3) cybersecurity audits for businesses meeting certain thresholds.

Addressing automated decisionmaking technology

The regulations impose requirements on businesses that use ADMT to replace or substantially replace human decisions for “significant decisions” about individuals. “Significant decisions” include tools that assess job applicants, approve or deny loans, set insurance terms, or determine access to education or healthcare. In short, if a system helps decide whether someone gets an opportunity or a benefit, the company must comply with the new regulations.

A new transparency standard around using ADMT

Businesses using ADMT for significant decisions must now explain their use of ADMT in plain, understandable terms before deploying it. These “pre-use” notices must outline what data is collected, how it’s analyzed, what role automation plays, and whether any human oversight exists. Consumers also gain the right to opt out of being subject to ADMT for significant decisions, subject to certain exceptions. If an automated system screens candidates or determines loan eligibility, for example, the company must be prepared to explain and, if necessary, overturn that outcome through human intervention.

Risk assessments and accountability

Before beginning any high-risk processing—which includes selling or sharing personal information, processing sensitive personal information, and using ADMT for significant decisions or training ADMT—businesses must conduct a detailed risk assessment evaluating the purpose, scope, and potential harms of the activity. This means the trigger for risk assessments includes more than ADMT. It is any qualifying high-risk processing, and it extends beyond security to risks of bias, exclusion, or unfair outcomes. These assessments must also document safeguards and show how the business maintains accountability.

Submission of key portions of these assessments to the California Privacy Protection Agency (CPPA), California’s dedicated privacy regulator, will start in 2028, and annual updates will be expected.

Annual cybersecurity audits

The final rules also introduce annual cybersecurity audits for larger companies and for those heavily reliant on personal data. The audits must be conducted independently and go beyond management attestations, providing a realistic assessment of security programs, vendor oversight, and incident response capabilities. They will culminate in an executive certification to the CPPA. Depending on a company’s size and revenue, the first reports will be due between 2028 and 2030, but aligning your cybersecurity and privacy teams early will be crucial.

Next steps for businesses

Businesses need to start planning now to position themselves to drive compliance readiness. Begin by mapping where ADMT already appears in your organization. This is often in hiring tools, credit assessments, or automated eligibility engines. Collaborate with technical and compliance teams to draft disclosures, build risk assessment templates, and coordinate with security leadership on audit planning. Establishing governance early will prevent last-minute scrambles and show regulators that your organization treats these obligations seriously.

California’s new privacy regulations extend the CCPA’s mission into the age of AI. For companies making consequential decisions through technology, this is the next major compliance frontier. Getting ahead of it now, before the first enforcement wave, will not only reduce risk but also strengthen consumer and regulator trust in how your organization uses data. Experienced outside counsel knowledgeable on the latest developments in California privacy law can provide invaluable assistance.