On July 24, 2025, the California Privacy Protection Agency (CPPA) approved amendments to the California Consumer Privacy Act (CCPA). These new CCPA regulations expand compliance obligations for businesses, with a strong focus on artificial intelligence, cybersecurity, and risk management.
Companies operating in California or handling California residents’ data must begin preparing now to meet these updated requirements by the 2030 deadline.
Automated decision-making technology
The new rules introduce the concept of “automated decision-making technology” (ADMT) instead of defining artificial intelligence directly. ADMT includes any technology that processes personal information to replace or substantially replace human decision-making.
For example, if a business uses software to automatically classify customers for marketing campaigns without human oversight, that may fall under ADMT. However, tools like web hosting or antivirus software are excluded if they do not replace human decisions.
The CCPA’s updated regulations allow consumers to opt out of ADMT when it affects significant life areas, such as housing, healthcare, employment, or financial services. Businesses must provide clear notices explaining how ADMT works, what decisions it influences, and how consumers can opt out. Importantly, companies must allow multiple opt-out methods, including an online form.
Also read: Four Tools You Need in Your CPA Risk Management Toolbox
Cybersecurity audits
The CPPA is linking privacy obligations with cybersecurity requirements. Under the new rules, certain businesses must complete annual cybersecurity audits. These reviews must evaluate how well the company protects personal data against unauthorized access and disclosure.
A business must complete an audit if:
- It derives 50 percent or more of its revenue annually from sharing or selling personal information.
- It derives an annual gross revenue over $25 million and collects, uses, retains, or otherwise processes:
- The personal information of over 250,000 customers, or
- Sensitive personal information of over 50,000 customers.
The audits must cover key areas such as authentication, access controls, software and hardware configuration, network monitoring, and employee cybersecurity training. Audits must be conducted by an independent and qualified professional, and the findings must be documented in detail, including any weaknesses or risks.
Depending on annual revenue, businesses must complete their first audit by April 1, 2028, or 2030. Each year, they must submit a certification of completion to the CPPA. This requirement raises the stakes for organizations that may have previously treated privacy and security as separate compliance issues.
Risk assessments before processing
Another major addition to the CCPA regulations is the requirement for risk assessments before processing consumer data in ways that pose significant risks. This includes selling or sharing personal data, processing sensitive information, or using ADMT to make important decisions about consumers.
Risk assessments must document:
- The specific purpose of the data processing.
- The benefits to the business and other stakeholders.
- The categories of personal and sensitive data involved.
- Safeguards such as encryption or other privacy-enhancing measures.
- Potential negative impacts on consumers, such as discrimination or loss of control over personal data.
Businesses must update risk assessments every three years or sooner if processing activities materially change. For activities conducted in 2026 or 2027, companies must submit an attestation to the CPPA by April 1, 2028, signed by an executive with direct responsibility for compliance. While it may seem like a distant deadline now, this process will take time; accounting firms must begin preparing now.
Other important updates
In addition to ADMT, audits, and risk assessments, the amended CCPA regulations include several notable changes:
- Neural data: Information from a consumer’s nervous system, such as data collected by advanced health devices, is now classified as sensitive personal information.
- Website and app links: Any required “conspicuous links,” such as opt-out links, must appear on every webpage or mobile app screen where personal information is collected.
- Choice architecture: Businesses may not design consent processes that interfere with consumer choice, such as hiding privacy terms within unrelated agreements.
- Right to limit clarification: Notices about the Right to Limit must be given in the same context as data collection. For example, if sensitive data is collected through a connected device, the notice must be presented through the device itself.
- Accountants: Accounting firms must comply with the CCPA when handling high-value sensitive personal information, such as financial and account information, location data, and details about personal circumstances.
Preparing for compliance
These updates to the CCPA regulations reflect California’s growing focus on artificial intelligence, cybersecurity, and consumer rights. Businesses should begin preparing by:
- Reviewing how they use ADMT in decision-making.
- Updating privacy notices to include pre-use ADMT disclosures.
- Identifying whether they meet the threshold for annual cybersecurity audits.
- Implementing structured processes for conducting and documenting risk assessments.
- Ensuring links and consumer choice mechanisms comply with new display requirements.
The compliance timelines stretch to 2027 and beyond but waiting may expose businesses to regulatory and reputational risk. Companies that act early will meet state requirements and build stronger trust with consumers.
Also read: Top Six Misconceptions in Claims Handling: What Accountants Should Know
Protect your business with cyber liability coverage
Regulatory compliance has never been more complex. From data privacy rules to cybersecurity requirements, businesses face heightened legal and financial risks. That is why securing strong liability protection is essential.
At McGowan Professional, we specialize in Cyber Liability Insurance for accountants, bookkeepers, investment advisors, and lawyers. Our broad network of carriers and decades of experience ensure you receive the right protection for your firm.
Take the first steps to safeguarding your practice today: McGowan Professional’s Cyber Liability Insurance